[unisog] New Bot variants making rounds

Michael Holstein michael.holstein at csuohio.edu
Mon Apr 4 18:42:40 GMT 2005


> 	Does this imply that they are making an IRC connection to a control 
> host and if so would you share the IPs of the IRC servers so those of us with
> argus on the outbound links can get early warning (by searching for connections
> to the IRC server)? I haven't yet seen this, but undoubtably will when someone
> brings it on campus on their laptop :-) (and it starts scanning and gets 
> whacked and its connections searched).

Yes. The control channels are unencrypted IRC on various ports. Here is 
the list I've seen since 31/Mar/05 00:00:00 (GMT-5) with the Count, IP, 
and port #.

FWIW : dsniff does a wonderful job in logging the channel 
names/passwords in case you want to meet new people :)

~Mike.

    3992 171.64.220.152 7000
     653 209.163.176.63 6668
     300 82.80.252.195 8080
     271 171.64.220.152 6667
     159 81.129.108.192 1982
     158 208.50.58.65 44444
      86 208.50.58.65 5190
      83 140.114.48.200 6668
      37 69.64.49.209 8080
      31 206.130.189.11 2231
      20 208.50.58.65 4367
      19 210.59.112.18 6669
      16 62.193.226.56 8080
      15 64.125.138.181 7514
      14 171.64.220.152 3453
      11 207.150.170.216 6667
       9 72.20.25.206 8080
       9 204.209.44.98 6667
       8 140.114.48.200 6669
       7 70.84.170.37 5190
       7 65.110.59.222 6667
       6 24.71.235.23 1111
       4 72.20.26.114 31031
       4 210.59.114.187 6669
       3 65.173.218.113 25
       3 65.110.59.222 7000
       3 65.110.48.237 6667
       2 70.84.170.37 4367
       2 70.84.170.36 4367
       2 66.207.162.114 6667
       2 4.26.81.234 1111
       2 206.130.189.11 1435
       1 70.84.170.37 44444
       1 66.198.160.2 6667
       1 64.95.76.69 6002
       1 209.163.176.63 6667
       1 195.101.94.119 6667


More information about the unisog mailing list