[unisog] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23

[Arthur Boos Jr]

Hi Steve,

   With tons of domains resolving to that IP, it's possible trigger
the rule just loading a malitious page. I've found one, when I was
googling. Usually, a infected computer try to conect to a C&C server
at a regular basis, am I right ? But the mostly of my systems triggered
that sid just once (or twice, in one ocasion), so there isn't much
traffic to see. Maybe I should take a look at those system processes...
again.

  Thanks,

Arthur
UFRGS - BR
Universidade Federal do Rio Grande do Sul

Stephen Gill escreveu:
> Hi Arthur,
>  
>>    Since some weeks ago, we started getting many hits on rule
>> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
>> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
>> The related packet is:
>>
>> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
>> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
>> ******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
>> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>>
>>    I run some antivirus online on a few machines, but I could
>> not detect any bot infection. Has anyone got false positives
>> on events hiting that rule ?
> 
> Can you figure out which DNS entries and/or processes are making those
> queries from the clients in question?
> 
> That IP has a lot of stuff on it.  EG:
> 
> http://cert.uni-stuttgart.de/stats/dns-replication.php?query=216.8.177.23&su
> bmit=Query
> 
> However, it has also hosted C&Cs on those ports (as per your snort rule) so
> you'll probably need to do a bit more digging to find out what site the
> hosts are connecting to in order to make a more accurate determination.
> 
> Cheers,
> -- steve
> 
>>    Thanks,
>>
>> Arthur
>> UFRGS - BR
>> Universidade Federal do Rio Grande do Sul
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>