[unisog] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23

Stephen Gill gillsr at cymru.com
Thu Jul 10 19:46:14 GMT 2008


Hi Arthur,
 
>    Since some weeks ago, we started getting many hits on rule
> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
> The related packet is:
> 
> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> 
>    I run some antivirus online on a few machines, but I could
> not detect any bot infection. Has anyone got false positives
> on events hiting that rule ?

Can you figure out which DNS entries and/or processes are making those
queries from the clients in question?

That IP has a lot of stuff on it.  EG:

http://cert.uni-stuttgart.de/stats/dns-replication.php?query=216.8.177.23&su
bmit=Query

However, it has also hosted C&Cs on those ports (as per your snort rule) so
you'll probably need to do a bit more digging to find out what site the
hosts are connecting to in order to make a more accurate determination.

Cheers,
-- steve

> 
>    Thanks,
> 
> Arthur
> UFRGS - BR
> Universidade Federal do Rio Grande do Sul
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog




More information about the unisog mailing list