[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23

Philipp Bescht philipp at bescht.de
Fri Jul 11 05:45:35 EDT 2008 

Hi Matt,

Regarding the False Positives on freenode servers:

philipp at desktop ~/et-rules $ for i in `dig +short irc.freenode.org`; do
l=$(grep $i emerging-botcc.rules); if [[ $l ]]; then echo `echo $l |
cut -d ';' -f 5` $i; fi; done | sort
sid:2404000 130.239.18.172
sid:2404000 140.211.166.3
sid:2404000 154.35.200.44
sid:2404002 204.11.244.21
sid:2404003 207.158.1.150
sid:2404004 209.177.146.34
sid:2404006 216.155.130.130
sid:2404008 64.161.254.20
sid:2404020 89.16.176.16


Regards,
Philipp



On Thu, 10 Jul 2008 17:46:51 -0400
Matt Jonkman <jonkman at jonkmans.com> wrote:

> Ya, we do auto update that from shadowserver. I was trying to
> whitelist the freenode servers. If anyone happens to notice one in
> there I haven't whitelisted please let me know.
> 
> But ya, this is definitely a bad IP.
> 
> Matt
> 
> Philipp Bescht wrote:
> > Hello Arthur,
> > 
> > I am getting false positives on this sid too, mostly because of irc
> > traffic to irc.freenode.org. I think this list is being
> > automatically compiled from the shadowserver archives, so if there
> > is a botnet c&c channel on freenode for example, the whole IP is
> > being considered 'dangerous'.
> > 
> > But when looking at the list of domains resolving to the IP you
> > mentioned, there definetly is something suspicious about that:
> > http://www.robtex.com/ip/216.8.177.23.html
> > 
> > I would take a closer look at the system(s) on your network causing
> > this traffic :)
> > 
> > Regards,
> > Philipp
> > 
> > 
> > 
> > On Thu, 10 Jul 2008 12:27:26 -0300
> > Arthur Boos Jr <boos at cpd.ufrgs.br> wrote:
> > 
> >> Hello,
> >>
> >>    Since some weeks ago, we started getting many hits on rule
> >> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
> >> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
> >> The related packet is:
> >>
> >> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
> >> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
> >> ******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
> >> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> >>
> >>    I run some antivirus online on a few machines, but I could
> >> not detect any bot infection. Has anyone got false positives
> >> on events hiting that rule ?
> >>
> >>    Thanks,
> >>
> >> Arthur
> >> UFRGS - BR
> >> Universidade Federal do Rio Grande do Sul
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

More information about the Emerging-sigs mailing list