[Planetlab-users] planet-lab nodes used as bots?

KyoungSoo Park kyoungso at CS.Princeton.EDU
Tue Dec 12 11:10:10 EST 2006 

Hello Dragan,

I am the lead grad student in charge of the CoDeeN project
(http://codeen.cs.princeton.edu/), and the traffic was between "the
IRC master" and one of the CoDeeN proxies. However, I've looked at the
CoDeeN logs, and confirmed that all of its CONNECT requests were
blocked at the proxy level. So, unless you have other evidence, I
believe it is a false positive.

Actually, I have already responded to the same complaint twice. If you
can, could you please spread my email to anyone who has got the false
alarm?

Thanks,
KyoungSoo

Dragan Milic wrote:
> Hello all,
> 
> we received following reports about possible contacts from our planetlab 
> nodes (planetlab01.cnds.unibe.ch and planetlab02.cnds.unibe.ch) to known 
> IRC Botnet masters. Did anyone else observed similar activities on their 
> nodes?
> 
> Best Regards,
> Dragan Milic
> 
> 
> -------- Original Message --------
> Subject: Most likely compromised system [130.92.70.252] [Botnet]
> Date: Mon, 11 Dec 2006 12:30:13 +0100
> From: serge.droz at switch.ch
> Reply-To: cert at switch.ch
> To: Uni Bern <security at unibe.ch>
> CC: cert at switch.ch
> 
> Dear Security Team,
> 
> based on received information about a 'malicious IRC command master'
> at 220.194.170.5
> 
> and our netflow data, we encourage you to check
> 
> 130.92.70.252
> 
> for a possible infection.
> 
> some additional information about Bots & possible removal
> tools:
> 
> General information:
> http://www.swatit.org/bots/
> http://www.lurhq.com/phatbot.html
> 
> Removal Instructions & Tools:
> http://www.switch.ch/security/incident-handling/resources/hunting.html
> http://vil.nai.com/vil/stinger/
> http://www.safer-networking.org/en/index.html
> http://www.swatit.org/
> 
> 
> Kind regards
> SWITCH-CERT
> 
> first log entries (UTC+2):
> 2006-12-10 20:49:15.575     0.384 TCP   130.92.70.252:3127  ->   
> 220.194.170.5:4742        4   428  B
> 2006-12-10 20:49:15.583     0.832 TCP   220.194.170.5:4742  ->   
> 130.92.70.252:3127        6   410  B
> 2006-12-10 20:49:16.416     0.832 TCP   130.92.70.252:3127  ->   
> 220.194.170.5:4750        5   474  B
> 2006-12-10 20:49:16.417     0.832 TCP   220.194.170.5:4750  ->   
> 130.92.70.252:3127        6   410  B
> 2006-12-10 20:49:16.458     0.000 TCP   130.92.70.252:3127  ->   
> 220.194.170.5:4742        1    46  B
> 2006-12-10 20:49:17.242     8.768 TCP   220.194.170.5:4756  ->   
> 130.92.70.252:3127        6   526  B
> 2006-12-10 20:49:17.248     0.448 TCP   130.92.70.252:3127  ->   
> 220.194.170.5:4756        4   428  B
> 2006-12-10 20:49:18.079     0.832 TCP   130.92.70.252:3127  ->   
> 220.194.170.5:4763        5   474  B
> 2006-12-10 20:49:18.080     0.832 TCP   220.194.170.5:4763  ->   
> 130.92.70.252:3127        6   409  B
> 2006-12-10 20:49:18.909     0.832 TCP   130.92.70.252:3127  ->   
> 220.194.170.5:4769        5   474  B
> 
> 
> ---- SWITCH-CERT Incident Report Format ----
> SIR_BEGIN
> SIR_PROBLEM
> Compromised system involved in Botnet
> SIR_INFOS
> some additional information and tools:
> 
> Removal Instructions & Tools:
> http://www.switch.ch/security/incident-handling/resources/hunting.html
> http://vil.nai.com/vil/stinger/
> http://www.safer-networking.org/en/index.html
> http://www.swatit.org/
> SIR_SUSPICIOUSHOSTS_0
> 130.92.70.252
> SIR_LOGS_0
> SIR_END
> 
> -- 
> _________ SWITCH - The Swiss Education & Research Network ________
> Serge Droz     Network Security Engineer     Member of SWITCH-CERT
> PGP fingerprint: 9465 2F1F 5508 1FA7 23E5 4659 06F5 EBEB B92B D127
> SWITCH,  Neumuehlequai 6,  P.O. Box,  CH-8001 Zurich,  Switzerland
> E-mail: serge.droz at switch.ch            Web: http://www.switch.ch/
> 
> 
> -------- Original Message --------
> Subject: Most likely compromised system [130.92.70.251] [Botnet]
> Date: Mon, 11 Dec 2006 12:30:14 +0100
> From: serge.droz at switch.ch
> Reply-To: cert at switch.ch
> To: Uni Bern <security at unibe.ch>
> CC: cert at switch.ch
> 
> Dear Security Team,
> 
> based on received information about a 'malicious IRC command master'
> at 86.137.48.204
> 
> and our netflow data, we encourage you to check
> 
> 130.92.70.251
> 
> for a possible infection.
> 
> some additional information about Bots & possible removal
> tools:
> 
> General information:
> http://www.swatit.org/bots/
> http://www.lurhq.com/phatbot.html
> 
> Removal Instructions & Tools:
> http://www.switch.ch/security/incident-handling/resources/hunting.html
> http://vil.nai.com/vil/stinger/
> http://www.safer-networking.org/en/index.html
> http://www.swatit.org/
> 
> 
> Kind regards
> SWITCH-CERT
> 
> first log entries (UTC+2):
> 2006-12-09 10:41:49.254     0.128 TCP   86.137.48.204:11151 ->   
> 130.92.70.251:3128        6   334  B
> 2006-12-09 10:41:49.306     0.064 TCP   86.137.48.204:11151 ->   
> 130.92.70.251:3128        6   352  B
> 2006-12-09 10:41:49.306     0.064 TCP   130.92.70.251:3128  ->   
> 86.137.48.204:11151       5   474  B
> 2006-12-09 10:42:02.165     0.064 TCP   86.137.48.204:25487 ->   
> 130.92.70.251:3128        6   344  B
> 2006-12-09 10:42:02.169     0.064 TCP   130.92.70.251:3128  ->   
> 86.137.48.204:25487       5   474  B
> 2006-12-09 10:42:02.181     0.064 TCP   86.137.48.204:25487 ->   
> 130.92.70.251:3128        6   326  B
> 2006-12-09 10:42:17.725     0.128 TCP   130.92.70.251:3124  ->   
> 86.137.48.204:49807       5   474  B
> 2006-12-09 10:42:17.727     0.128 TCP   86.137.48.204:49807 ->   
> 130.92.70.251:3124        6   348  B
> 2006-12-09 10:42:17.735     0.128 TCP   86.137.48.204:49807 ->   
> 130.92.70.251:3124        6   330  B
> 2006-12-09 10:42:17.789     0.064 TCP   86.137.48.204:50063 ->   
> 130.92.70.251:3128        6   348  B
> 
> 
> ---- SWITCH-CERT Incident Report Format ----
> SIR_BEGIN
> SIR_PROBLEM
> Compromised system involved in Botnet
> SIR_INFOS
> some additional information and tools:
> 
> Removal Instructions & Tools:
> http://www.switch.ch/security/incident-handling/resources/hunting.html
> http://vil.nai.com/vil/stinger/
> http://www.safer-networking.org/en/index.html
> http://www.swatit.org/
> SIR_SUSPICIOUSHOSTS_0
> 130.92.70.251
> SIR_LOGS_0
> SIR_END
> 
> -- 
> _________ SWITCH - The Swiss Education & Research Network ________
> Serge Droz     Network Security Engineer     Member of SWITCH-CERT
> PGP fingerprint: 9465 2F1F 5508 1FA7 23E5 4659 06F5 EBEB B92B D127
> SWITCH,  Neumuehlequai 6,  P.O. Box,  CH-8001 Zurich,  Switzerland
> E-mail: serge.droz at switch.ch            Web: http://www.switch.ch/
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users mailing list: Users at lists.planet-lab.org
> https://lists.planet-lab.org/mailman/listinfo/users

More information about the Users mailing list