[Intrusions] IRC Bot traffic?
eltra1n
larry.wichman at gmail.com
Thu Mar 24 16:46:54 GMT 2005
this is interesting. We ran our AV and a few different spyware
catchers against it and nothing was picked up. We stopped seeing the
traffic once MSN Messaenger was removed from the machine.
On Wed, 23 Mar 2005 13:18:14 -0600, Scott Mcintyre
<security at isnnetworks.net> wrote:
> XDCC bots is what they are called.
>
> Its a program called IRoffer. What they do is the attacker uploads
> files to serve to irc users who just download using your bandwidth.
> They are commonly use for warez, ie the latest movies,applications
> etc. So check over your system.
>
> -Scott Mcintyre
>
> > I found some IRC traffic on port 4500 with my IDS. I grabbed some
> > pcaps and it looks like an IRC bot...(?)
> > Has anyone seen something like this before?
> >
> > Spoilare!Spoilare at 101Freedom-1737844C.cinci.rr.com JOIN :#101-
> FREEDOMXDCC
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :[CrooK]!killrbeats at 101Freedom-34DC74B3.sympatico.ca QUIT :Ping
> > timeout - Oxygen.101-Freedom
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :loek!pol at 324EC007.42B23495.1CF33FDF.IP JOIN :#101-FREEDOMXDCC
> >
> > :LastMetalWarrior!LastMetalWar at 101Freedom-
> 3A40D27A.sunsh1.vic.optusnet.com.au
> > JOIN :#101-FREEDOMXDCC
> >
> > :pipi!pipi at 101Freedom-2FCDBB21.adsl.highway.telekom.at QUIT
> > :Connection reset by peer
> >
> > NICK [101]14667
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :Clone_Kicker!gulf-vet at 101Freedom-3C80D61C.dsl.mindspring.com QUIT
> > :Ping timeout - Oxygen.101-Freedom
> >
> > :loek!pol at 324EC007.42B23495.1CF33FDF.IP QUIT :loek
> >
> > :chillbleezy!chillbleez at 101Freedom-15192390.client.comcast.net JOIN
> > :#101-FREEDOMXDCC
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :nojonesde!nojonesde at 101Freedom-30B85776.dip.t-dialin.net QUIT :Ping
> > timeout - Switch.Bladez.101-Freedom
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > NICK [101]14667
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :MR_G!MR_G at 101Freedom-34194265.ipt.aol.com QUIT :Ping timeout -
> > Oxygen.101-Freedom
> >
> > :saalbr!kev at 101Freedom-237F4E58.dyn.optonline.net QUIT :Ping
> timeout -
> > Oxygen.101-Freedom
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :.**. ..15...14::: .8XDCC Bot Online .14:::.15.. .**.
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :.**. 1 pack .**. 0 of 2 slots open, Queue: 6/30, Record: 81.9KB/s
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :.**. Bandwidth Usage .**. Current: 77.4KB/s, Record: 89.0KB/s
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :.**. To request a file, type "/msg [101]00111 xdcc send #x" .**.
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :.**. To request details, type "/msg [101]00111 xdcc info #x" .**.
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :.#1 . 7x [1.1G] ..4,8 MoViE .1,1 .12,11 Hostage.TS-LRC
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :.**. ..15...14::: .4Rooted By The Best - Leeched By The Rest
> > .14:::.15.. .**.
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> FREEDOMXDCC
> > :Total Offered: 1076.0 MB Total Transferred: 12.45 GB
> >
> > :Corleonne!rockwilder4e at 1BDEB49F.E95925FE.7B1EBDD6.IP JOIN :#101-
> FREEDOMXDCC
> >
> > PING XDCC.101-Freedom
> > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> >
> > :jackieee!jackie at 101Freedom-1403D636.danbry01.ct.comcast.net JOIN
> > :#101-FREEDOMXDCC
> >
> > :u3!u3 at 101Freedom-1DC8D13C.dip.t-dialin.net QUIT :Ping timeout -
> > Switch.Bladez.101-Freedom
> >
> > :Thirion!Thirion at 101Freedom-1595BE35.dip0.t-ipconnect.de JOIN :#101-
> FREEDOMXDCC
> >
> > NICK [101]14667
> > PING XDCC.101-Freedom
> >
> >
> > --
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
--
Lawerence A. Wichman
2719 W Thomas Apt 2
Chicago, Il 60622
773-807-7606
More information about the Intrusions
mailing list