[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23

Matt Jonkman jonkman at jonkmans.com
Fri Jul 11 07:45:24 EDT 2008 

Added those, thanks Philipp.

Matt

Philipp Bescht wrote:
> Hi Matt,
> 
> Regarding the False Positives on freenode servers:
> 
> philipp at desktop ~/et-rules $ for i in `dig +short irc.freenode.org`; do
> l=$(grep $i emerging-botcc.rules); if [[ $l ]]; then echo `echo $l |
> cut -d ';' -f 5` $i; fi; done | sort
> sid:2404000 130.239.18.172
> sid:2404000 140.211.166.3
> sid:2404000 154.35.200.44
> sid:2404002 204.11.244.21
> sid:2404003 207.158.1.150
> sid:2404004 209.177.146.34
> sid:2404006 216.155.130.130
> sid:2404008 64.161.254.20
> sid:2404020 89.16.176.16
> 
> 
> Regards,
> Philipp
> 
> 
> 
> On Thu, 10 Jul 2008 17:46:51 -0400
> Matt Jonkman <jonkman at jonkmans.com> wrote:
> 
>> Ya, we do auto update that from shadowserver. I was trying to
>> whitelist the freenode servers. If anyone happens to notice one in
>> there I haven't whitelisted please let me know.
>>
>> But ya, this is definitely a bad IP.
>>
>> Matt
>>
>> Philipp Bescht wrote:
>>> Hello Arthur,
>>>
>>> I am getting false positives on this sid too, mostly because of irc
>>> traffic to irc.freenode.org. I think this list is being
>>> automatically compiled from the shadowserver archives, so if there
>>> is a botnet c&c channel on freenode for example, the whole IP is
>>> being considered 'dangerous'.
>>>
>>> But when looking at the list of domains resolving to the IP you
>>> mentioned, there definetly is something suspicious about that:
>>> http://www.robtex.com/ip/216.8.177.23.html
>>>
>>> I would take a closer look at the system(s) on your network causing
>>> this traffic :)
>>>
>>> Regards,
>>> Philipp
>>>
>>>
>>>
>>> On Thu, 10 Jul 2008 12:27:26 -0300
>>> Arthur Boos Jr <boos at cpd.ufrgs.br> wrote:
>>>
>>>> Hello,
>>>>
>>>>    Since some weeks ago, we started getting many hits on rule
>>>> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
>>>> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
>>>> The related packet is:
>>>>
>>>> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
>>>> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
>>>> ******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
>>>> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>>>>
>>>>    I run some antivirus online on a few machines, but I could
>>>> not detect any bot infection. Has anyone got false positives
>>>> on events hiting that rule ?
>>>>
>>>>    Thanks,
>>>>
>>>> Arthur
>>>> UFRGS - BR
>>>> Universidade Federal do Rio Grande do Sul
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list