[unisog] New Bot variants making rounds

Peter Van Epp vanepp at sfu.ca
Mon Apr 4 18:18:51 GMT 2005


<snip>
> 
> I've been catching the machines with the (very effective) "RogueIRC" 
> snort sigs from a few months back.
> 
> Happy Hunting,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	Does this imply that they are making an IRC connection to a control 
host and if so would you share the IPs of the IRC servers so those of us with
argus on the outbound links can get early warning (by searching for connections
to the IRC server)? I haven't yet seen this, but undoubtably will when someone
brings it on campus on their laptop :-) (and it starts scanning and gets 
whacked and its connections searched).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list