[Planetlab-users] planet-lab nodes used as bots?
Dragan Milic
milic at iam.unibe.ch
Tue Dec 12 08:21:05 EST 2006
Hello all,
we received following reports about possible contacts from our planetlab
nodes (planetlab01.cnds.unibe.ch and planetlab02.cnds.unibe.ch) to known
IRC Botnet masters. Did anyone else observed similar activities on their
nodes?
Best Regards,
Dragan Milic
-------- Original Message --------
Subject: Most likely compromised system [130.92.70.252] [Botnet]
Date: Mon, 11 Dec 2006 12:30:13 +0100
From: serge.droz at switch.ch
Reply-To: cert at switch.ch
To: Uni Bern <security at unibe.ch>
CC: cert at switch.ch
Dear Security Team,
based on received information about a 'malicious IRC command master'
at 220.194.170.5
and our netflow data, we encourage you to check
130.92.70.252
for a possible infection.
some additional information about Bots & possible removal
tools:
General information:
http://www.swatit.org/bots/
http://www.lurhq.com/phatbot.html
Removal Instructions & Tools:
http://www.switch.ch/security/incident-handling/resources/hunting.html
http://vil.nai.com/vil/stinger/
http://www.safer-networking.org/en/index.html
http://www.swatit.org/
Kind regards
SWITCH-CERT
first log entries (UTC+2):
2006-12-10 20:49:15.575 0.384 TCP 130.92.70.252:3127 ->
220.194.170.5:4742 4 428 B
2006-12-10 20:49:15.583 0.832 TCP 220.194.170.5:4742 ->
130.92.70.252:3127 6 410 B
2006-12-10 20:49:16.416 0.832 TCP 130.92.70.252:3127 ->
220.194.170.5:4750 5 474 B
2006-12-10 20:49:16.417 0.832 TCP 220.194.170.5:4750 ->
130.92.70.252:3127 6 410 B
2006-12-10 20:49:16.458 0.000 TCP 130.92.70.252:3127 ->
220.194.170.5:4742 1 46 B
2006-12-10 20:49:17.242 8.768 TCP 220.194.170.5:4756 ->
130.92.70.252:3127 6 526 B
2006-12-10 20:49:17.248 0.448 TCP 130.92.70.252:3127 ->
220.194.170.5:4756 4 428 B
2006-12-10 20:49:18.079 0.832 TCP 130.92.70.252:3127 ->
220.194.170.5:4763 5 474 B
2006-12-10 20:49:18.080 0.832 TCP 220.194.170.5:4763 ->
130.92.70.252:3127 6 409 B
2006-12-10 20:49:18.909 0.832 TCP 130.92.70.252:3127 ->
220.194.170.5:4769 5 474 B
---- SWITCH-CERT Incident Report Format ----
SIR_BEGIN
SIR_PROBLEM
Compromised system involved in Botnet
SIR_INFOS
some additional information and tools:
Removal Instructions & Tools:
http://www.switch.ch/security/incident-handling/resources/hunting.html
http://vil.nai.com/vil/stinger/
http://www.safer-networking.org/en/index.html
http://www.swatit.org/
SIR_SUSPICIOUSHOSTS_0
130.92.70.252
SIR_LOGS_0
SIR_END
--
_________ SWITCH - The Swiss Education & Research Network ________
Serge Droz Network Security Engineer Member of SWITCH-CERT
PGP fingerprint: 9465 2F1F 5508 1FA7 23E5 4659 06F5 EBEB B92B D127
SWITCH, Neumuehlequai 6, P.O. Box, CH-8001 Zurich, Switzerland
E-mail: serge.droz at switch.ch Web: http://www.switch.ch/
-------- Original Message --------
Subject: Most likely compromised system [130.92.70.251] [Botnet]
Date: Mon, 11 Dec 2006 12:30:14 +0100
From: serge.droz at switch.ch
Reply-To: cert at switch.ch
To: Uni Bern <security at unibe.ch>
CC: cert at switch.ch
Dear Security Team,
based on received information about a 'malicious IRC command master'
at 86.137.48.204
and our netflow data, we encourage you to check
130.92.70.251
for a possible infection.
some additional information about Bots & possible removal
tools:
General information:
http://www.swatit.org/bots/
http://www.lurhq.com/phatbot.html
Removal Instructions & Tools:
http://www.switch.ch/security/incident-handling/resources/hunting.html
http://vil.nai.com/vil/stinger/
http://www.safer-networking.org/en/index.html
http://www.swatit.org/
Kind regards
SWITCH-CERT
first log entries (UTC+2):
2006-12-09 10:41:49.254 0.128 TCP 86.137.48.204:11151 ->
130.92.70.251:3128 6 334 B
2006-12-09 10:41:49.306 0.064 TCP 86.137.48.204:11151 ->
130.92.70.251:3128 6 352 B
2006-12-09 10:41:49.306 0.064 TCP 130.92.70.251:3128 ->
86.137.48.204:11151 5 474 B
2006-12-09 10:42:02.165 0.064 TCP 86.137.48.204:25487 ->
130.92.70.251:3128 6 344 B
2006-12-09 10:42:02.169 0.064 TCP 130.92.70.251:3128 ->
86.137.48.204:25487 5 474 B
2006-12-09 10:42:02.181 0.064 TCP 86.137.48.204:25487 ->
130.92.70.251:3128 6 326 B
2006-12-09 10:42:17.725 0.128 TCP 130.92.70.251:3124 ->
86.137.48.204:49807 5 474 B
2006-12-09 10:42:17.727 0.128 TCP 86.137.48.204:49807 ->
130.92.70.251:3124 6 348 B
2006-12-09 10:42:17.735 0.128 TCP 86.137.48.204:49807 ->
130.92.70.251:3124 6 330 B
2006-12-09 10:42:17.789 0.064 TCP 86.137.48.204:50063 ->
130.92.70.251:3128 6 348 B
---- SWITCH-CERT Incident Report Format ----
SIR_BEGIN
SIR_PROBLEM
Compromised system involved in Botnet
SIR_INFOS
some additional information and tools:
Removal Instructions & Tools:
http://www.switch.ch/security/incident-handling/resources/hunting.html
http://vil.nai.com/vil/stinger/
http://www.safer-networking.org/en/index.html
http://www.swatit.org/
SIR_SUSPICIOUSHOSTS_0
130.92.70.251
SIR_LOGS_0
SIR_END
--
_________ SWITCH - The Swiss Education & Research Network ________
Serge Droz Network Security Engineer Member of SWITCH-CERT
PGP fingerprint: 9465 2F1F 5508 1FA7 23E5 4659 06F5 EBEB B92B D127
SWITCH, Neumuehlequai 6, P.O. Box, CH-8001 Zurich, Switzerland
E-mail: serge.droz at switch.ch Web: http://www.switch.ch/
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3311 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.planet-lab.org/pipermail/users/attachments/20061212/96162eb7/smime.bin
More information about the Users
mailing list