[Intrusions] IRC Bot traffic?
Scott Mcintyre
security at isnnetworks.net
Wed Mar 23 19:18:14 GMT 2005
XDCC bots is what they are called.
Its a program called IRoffer. What they do is the attacker uploads
files to serve to irc users who just download using your bandwidth.
They are commonly use for warez, ie the latest movies,applications
etc. So check over your system.
-Scott Mcintyre
> I found some IRC traffic on port 4500 with my IDS. I grabbed some
> pcaps and it looks like an IRC bot...(?)
> Has anyone seen something like this before?
>
> Spoilare!Spoilare at 101Freedom-1737844C.cinci.rr.com JOIN :#101-
FREEDOMXDCC
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :[CrooK]!killrbeats at 101Freedom-34DC74B3.sympatico.ca QUIT :Ping
> timeout - Oxygen.101-Freedom
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :loek!pol at 324EC007.42B23495.1CF33FDF.IP JOIN :#101-FREEDOMXDCC
>
> :LastMetalWarrior!LastMetalWar at 101Freedom-
3A40D27A.sunsh1.vic.optusnet.com.au
> JOIN :#101-FREEDOMXDCC
>
> :pipi!pipi at 101Freedom-2FCDBB21.adsl.highway.telekom.at QUIT
> :Connection reset by peer
>
> NICK [101]14667
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :Clone_Kicker!gulf-vet at 101Freedom-3C80D61C.dsl.mindspring.com QUIT
> :Ping timeout - Oxygen.101-Freedom
>
> :loek!pol at 324EC007.42B23495.1CF33FDF.IP QUIT :loek
>
> :chillbleezy!chillbleez at 101Freedom-15192390.client.comcast.net JOIN
> :#101-FREEDOMXDCC
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :nojonesde!nojonesde at 101Freedom-30B85776.dip.t-dialin.net QUIT :Ping
> timeout - Switch.Bladez.101-Freedom
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> NICK [101]14667
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :MR_G!MR_G at 101Freedom-34194265.ipt.aol.com QUIT :Ping timeout -
> Oxygen.101-Freedom
>
> :saalbr!kev at 101Freedom-237F4E58.dyn.optonline.net QUIT :Ping
timeout -
> Oxygen.101-Freedom
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :.**. ..15...14::: .8XDCC Bot Online .14:::.15.. .**.
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :.**. 1 pack .**. 0 of 2 slots open, Queue: 6/30, Record: 81.9KB/s
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :.**. Bandwidth Usage .**. Current: 77.4KB/s, Record: 89.0KB/s
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :.**. To request a file, type "/msg [101]00111 xdcc send #x" .**.
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :.**. To request details, type "/msg [101]00111 xdcc info #x" .**.
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :.#1 . 7x [1.1G] ..4,8 MoViE .1,1 .12,11 Hostage.TS-LRC
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :.**. ..15...14::: .4Rooted By The Best - Leeched By The Rest
> .14:::.15.. .**.
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
FREEDOMXDCC
> :Total Offered: 1076.0 MB Total Transferred: 12.45 GB
>
> :Corleonne!rockwilder4e at 1BDEB49F.E95925FE.7B1EBDD6.IP JOIN :#101-
FREEDOMXDCC
>
> PING XDCC.101-Freedom
> :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
>
> :jackieee!jackie at 101Freedom-1403D636.danbry01.ct.comcast.net JOIN
> :#101-FREEDOMXDCC
>
> :u3!u3 at 101Freedom-1DC8D13C.dip.t-dialin.net QUIT :Ping timeout -
> Switch.Bladez.101-Freedom
>
> :Thirion!Thirion at 101Freedom-1595BE35.dip0.t-ipconnect.de JOIN :#101-
FREEDOMXDCC
>
> NICK [101]14667
> PING XDCC.101-Freedom
>
>
> --
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
More information about the Intrusions
mailing list