[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23

Matt Jonkman jonkman at jonkmans.com
Thu Jul 10 17:46:51 EDT 2008 

Ya, we do auto update that from shadowserver. I was trying to whitelist 
the freenode servers. If anyone happens to notice one in there I haven't 
whitelisted please let me know.

But ya, this is definitely a bad IP.

Matt

Philipp Bescht wrote:
> Hello Arthur,
> 
> I am getting false positives on this sid too, mostly because of irc
> traffic to irc.freenode.org. I think this list is being automatically
> compiled from the shadowserver archives, so if there is a botnet c&c
> channel on freenode for example, the whole IP is being considered
> 'dangerous'.
> 
> But when looking at the list of domains resolving to the IP you
> mentioned, there definetly is something suspicious about that:
> http://www.robtex.com/ip/216.8.177.23.html
> 
> I would take a closer look at the system(s) on your network causing
> this traffic :)
> 
> Regards,
> Philipp
> 
> 
> 
> On Thu, 10 Jul 2008 12:27:26 -0300
> Arthur Boos Jr <boos at cpd.ufrgs.br> wrote:
> 
>> Hello,
>>
>>    Since some weeks ago, we started getting many hits on rule
>> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
>> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
>> The related packet is:
>>
>> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
>> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
>> ******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
>> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>>
>>    I run some antivirus online on a few machines, but I could
>> not detect any bot infection. Has anyone got false positives
>> on events hiting that rule ?
>>
>>    Thanks,
>>
>> Arthur
>> UFRGS - BR
>> Universidade Federal do Rio Grande do Sul
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list