[Dshield] Dalnet being uses as a C&C server

Tomas L. Byrnes tomb at byrneit.net
Wed Jun 20 01:55:19 GMT 2007


If you don't see this site come down soon, you can ask the handler on
duty, Marc, or Johannes, to activate a ThreatSTOP Emergency block on the
host. People using our service block inbound and outbound, and we have a
channel in place to have the ISC Handlers push out an emergency block,
if they detect a malware seed or C&C site that they want taken down,
that isn't responsive. We only let the handlers due this, so that the
proper incident response methods are followed.

If you want to see more about how to use the DShield lists to block
attackers, check out www.threatstop.com

 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Larry
> Sent: Tuesday, June 19, 2007 5:05 PM
> To: list at lists.dshield.org
> Subject: [Dshield] Dalnet being uses as a C&C server
> Importance: High
> 
> greetings:
> 
> I have found a compromised hosting client on one of our 
> servers. The bot is connecting to dalnet for C&C. Can you 
> please assist in terminating this?
> 
> >From one of the perl scripts:
> 
> root at w11 [/home/serluna/public_html]# cat 
> /home/serluna/public_html/includes/.log/jancok.pl
> #!/usr/bin/perl
> 
> $chan="#JagungNet";
> $nick=$ARGV[0];
> $server="rumble.dal.net";
> 
> $SIG{TERM}={};
> exit if fork;
> 
> use IO::Socket;
> 
> 
> full script available upon request.
> 
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 
> courses, SANS top instructors, and a great tools and 
> solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 



More information about the list mailing list