[unisog] New Bot variants making rounds

Michael Holstein michael.holstein at csuohio.edu
Mon Apr 4 19:18:59 GMT 2005


> Yes. The control channels are unencrypted IRC on various ports. Here is 
> the list I've seen since 31/Mar/05 00:00:00 (GMT-5) with the Count, IP, 
> and port #.

Whoops ... Ignore this line. This is the *only* false-positive I've seen 
for the snort sigs. It's a "lifestyle" website's ('host 64.125.138.181' 
for the curious) Java IRC "chat" program and people with usernames that 
contain the right strings (typically '/zombie/') can trigger the snort sig.

>      15 64.125.138.181 7514

~Mike.


More information about the unisog mailing list