[Dshield] Dalnet being uses as a C&C server

Stasiniewicz, Adam stasinia at msoe.edu
Wed Jun 20 04:06:09 GMT 2007


My advice whenever trying to get in contact with IRC networks, is to follow
the listed support methods.  Every IRC network of any decent size has to
constantly deal with bots/viruses/etc using their servers to do "bad"
things.  And most often, they have publicly documented procedures on how to
report such problems.  In the case of DALnet, a quick scan of the site found
the following useful pages:

http://www.dal.net/admin/contact.php3
http://help.dal.net//operhelp/
http://docs.dal.net/docs/findoper.html

Of all the listed contact methods, by the far the most effective is to
connect to one of the support channels (#OperHelp in the case of DALnet) and
chat with someone directly.  By far the worst method is to use the telephone
or contact the ISP/colo hosting the IRC server.

My $0.02,
Adam Stasiniewicz



-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Larry
Sent: Tuesday, June 19, 2007 7:05 PM
To: list at lists.dshield.org
Subject: [Dshield] Dalnet being uses as a C&C server
Importance: High

greetings:

I have found a compromised hosting client on one of our servers. The bot
is connecting to dalnet for C&C. Can you please assist in terminating this?

>From one of the perl scripts:

root at w11 [/home/serluna/public_html]# cat
/home/serluna/public_html/includes/.log/jancok.pl
#!/usr/bin/perl

$chan="#JagungNet";
$nick=$ARGV[0];
$server="rumble.dal.net";

$SIG{TERM}={};
exit if fork;

use IO::Socket;


full script available upon request.

_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)


More information about the list mailing list