[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23
Matt Jonkman
jonkman at jonkmans.com
Thu Jul 10 11:40:02 EDT 2008
That's close to a known RBN host as well (216.8.177.26). It has dropped
out of the known CnC list from shadowserver, and doesn't appear to have
an active controller at the moment. If you have systems trying to make
connections there though I'd be very concerned. AV May not catch it of
course. Have you tried a few other AV's?
Some googling shows a LOT of hostile domains associated with that
box/ip. I'd definitely consider the workstation suspect and get it offline.
Have you tracked the dns lookups it makes on boot?
Matt
Arthur Boos Jr wrote:
> Hello,
>
> Since some weeks ago, we started getting many hits on rule
> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
> The related packet is:
>
> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x74043F2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>
> I run some antivirus online on a few machines, but I could
> not detect any bot infection. Has anyone got false positives
> on events hiting that rule ?
>
> Thanks,
>
> Arthur
> UFRGS - BR
> Universidade Federal do Rio Grande do Sul
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list