[unisog] New Bot variants making rounds

Tom Fischer Fischer at CERT.Uni-Stuttgart.DE
Mon Apr 4 22:03:00 GMT 2005


Hi,

On Mon, Apr 04, 2005 at 03:18:59PM -0400, Michael Holstein wrote:
> Whoops ... Ignore this line. This is the *only* false-positive I've seen 
> for the snort sigs. It's a "lifestyle" website's ('host 64.125.138.181' 
> for the curious) Java IRC "chat" program and people with usernames that 
> contain the right strings (typically '/zombie/') can trigger the snort sig.

except for 

>       3 65.173.218.113 25

http://cert.uni-stuttgart.de/stats/dns-replication.php?query=65.173.218.113
output:

mail2.dshield.org       A       65.173.218.113
iceman12-ext.giac.net   A       65.173.218.113
113.218.173.65.in-addr.arpa     PTR     iceman12-ext.giac.net

;-)

-- 
Tom Fischer                              Fischer at cert.uni-stuttgart.de
RUS-CERT University of Stuttgart    Tel:+49 711 121-3676 / -3688 (fax)
Breitscheidstr. 2, D-70174 Stuttgart     http://cert.uni-stuttgart.de/


More information about the unisog mailing list