[unisog] IRC botnet on 65.61.254.124

Michael Holstein michael.holstein at csuohio.edu
Tue Aug 31 17:55:37 GMT 2004


Server is 65.61.254.124 (in2net.com -- in Canada) port 19899.

ISP has been advised (abuse@ and leolam@ per their voice-operator).

Check your Netflows/Logs ...

Looks like we have active attempts after initial infection to spread it 
to other machines.

Michael Holstein CISSP GCIA
Cleveland State University
+1-216-875-9662 (voice)

-- snip --

NICK [BB]|702401526
USER fxjjabhbhn 0 0 :[BB]|702401526
:brownarmy6.net 001 [BB]|702401526 :Welcome to the brownarmy.NET IRC 
Network [BB]|702401526!fxjjabhbhn at csu-137-148-102-150.csuohio.edu
:brownarmy6.net 002 [BB]|702401526 :Your host is brownarmy6.net, running 
version Unreal3.2
:brownarmy6.net 003 [BB]|702401526 :This server was created Mon Jul 19 
2004 at 04:59:55 PDT
:brownarmy6.net 004 [BB]|702401526 brownarmy6.net Unreal3.2 
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
:brownarmy6.net 005 [BB]|702401526 MAP KNOCK SAFELIST HCN MAXCHANNELS=15 
MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 
:are supported by this server
:brownarmy6.net 005 [BB]|702401526 WALLCHOPS WATCH=128 SILENCE=15 
MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ 
CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=brownarmy.NET 
CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
:brownarmy6.net 251 [BB]|702401526 :There are 1 users and 1016 invisible 
on 1 servers
:brownarmy6.net 253 [BB]|702401526 1 :unknown connection(s)
:brownarmy6.net 254 [BB]|702401526 8 :channels formed
USERHOST [BB]|702401526
:brownarmy6.net 255 [BB]|702401526 :I have 1017 clients and 0 servers
:brownarmy6.net 265 [BB]|702401526 :Current Local Users: 1017  Max: 1018
:brownarmy6.net 266 [BB]|702401526 :Current Global Users: 1017  Max: 1018
:brownarmy6.net 422 [BB]|702401526 :MOTD File is missing
:[BB]|702401526 MODE [BB]|702401526 :+ix
MODE [BB]|702401526 -x+B+i
JOIN ##3du# 3nt3r
MODE ##3du# +n+t+s+m
:brownarmy6.net 302 [BB]|702401526 
:[BB]|702401526=+fxjjabhbhn at csu-137-148-102-150.csuohio.edu
:brownarmy6.net NOTICE [BB]|702401526 :BOTMOTD File not found
:[BB]|702401526 MODE [BB]|702401526 :-x+B
:[BB]|702401526!fxjjabhbhn at csu-137-148-102-150.csuohio.edu JOIN :##3du#
:brownarmy6.net 332 [BB]|702401526 ##3du# :+advscan dcom135 100 3 0 -b -r -s
:brownarmy6.net 333 [BB]|702401526 ##3du# bcuzZ 1093788403
:brownarmy6.net 353 [BB]|702401526 @ ##3du# :[BB]|702401526
:brownarmy6.net 366 [BB]|702401526 ##3du# :End of /NAMES list.
:brownarmy6.net 482 [BB]|702401526 ##3du# :You're not channel operator
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PRIVMSG #exploit :[TFTPD]: File transfer started to IP: 137.148.103.86 
(C:\WINDOWS\System32\soundblaster.exe).
:brownarmy6.net 401 [BB]|702401526 #exploit :No such nick/channel
PRIVMSG #exploit :[TFTPD]: File transfer complete to IP: 137.148.103.86 
(C:\WINDOWS\System32\soundblaster.exe).
:brownarmy6.net 401 [BB]|702401526 #exploit :No such nick/channel
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
PING :brownarmy6.net
PONG :brownarmy6.net
:brownarmy6.net 401 [BB]|702401526 #exploit :No such nick/channel
:brownarmy6.net 401 [BB]|702401526 #exploit :No such nick/channel



More information about the unisog mailing list