[Dshield] Dalnet being uses as a C&C server

ge at linuxbox.org ge at linuxbox.org
Wed Jun 20 01:02:16 GMT 2007


On 2007-06-19 20:04-0400, Larry wrote:
>greetings:
>
>I have found a compromised hosting client on one of our servers. The bot
>is connecting to dalnet for C&C. Can you please assist in terminating this?

I believe dalnet still has an abuse and kline commitees... but I haven't
been up to date in.. wow.

>
>>From one of the perl scripts:
>
>root at w11 [/home/serluna/public_html]# cat
>/home/serluna/public_html/includes/.log/jancok.pl
>#!/usr/bin/perl
>
>$chan="#JagungNet";
>$nick=$ARGV[0];
>$server="rumble.dal.net";
>
>$SIG{TERM}={};
>exit if fork;
>
>use IO::Socket;
>
>
>full script available upon request.
>
>_________________________________________
>SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
>instructors, and a great tools and solutions expo. Register today!
>http://www.sans.org/info/4651 (brochure code ISC)

-- 
--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.


More information about the list mailing list