[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23

Fri Jul 11 13:55:59 EDT 2008

Hello,

    Thanks for the answers!  Yes, I run a few more AV online,
but nothing was detected. With tons of domains resolving to
that IP, it's possible trigger the rule just loading a malitious
page. I've found one, when I was googling. Usually, a infected
computer try to conect to a C&C server at a regular basis,
am I right ? But the mostly of my systems triggered that sid just
once (or twice, in one ocasion), so there isn't much traffic
to see. Perhaps monitoring the DNS queries I can find something
interesting... Any other ideas ?

PS: Nice that whitelist solution!

    Regards,

Arthur
UFRGS - BR
Universidade Federal do Rio Grande do Sul

Philipp Bescht escreveu:
> Apart from freenode ips, there are also other big irc networks
> included, for example:
> 
> tux at notebook ~ $ for i in `dig +short irc.undernet.org`; do if
> [ "$(grep $i emerging-botcc.rules)" ]; then if [ ! "$(grep $i
> emerging-botcc.excluded)" ]; then echo "$i"; fi; fi; done
> 64.18.128.86
> 66.186.59.50
> 69.16.172.40
> 161.53.178.240
> 193.109.122.67
> 195.47.220.2
> 208.83.20.130
> 217.168.95.245
> 38.114.116.5
> 
> Same for dal.net, quakenet and others.
> Sorry, just found out about the .excluded file. Wonder why i havent
> seen it before :D
> 
> Regards,
> Philipp
> 
> 
> 
> 
> On Fri, 11 Jul 2008 07:45:24 -0400
> Matt Jonkman <jonkman at jonkmans.com> wrote:
> 
>> Added those, thanks Philipp.
>>
>> Matt
>>
>> Philipp Bescht wrote:
>>> Hi Matt,
>>>
>>> Regarding the False Positives on freenode servers:
>>>
>>> philipp at desktop ~/et-rules $ for i in `dig +short
>>> irc.freenode.org`; do l=$(grep $i emerging-botcc.rules); if
>>> [[ $l ]]; then echo `echo $l | cut -d ';' -f 5` $i; fi; done | sort
>>> sid:2404000 130.239.18.172
>>> sid:2404000 140.211.166.3
>>> sid:2404000 154.35.200.44
>>> sid:2404002 204.11.244.21
>>> sid:2404003 207.158.1.150
>>> sid:2404004 209.177.146.34
>>> sid:2404006 216.155.130.130
>>> sid:2404008 64.161.254.20
>>> sid:2404020 89.16.176.16
>>>
>>>
>>> Regards,
>>> Philipp
>>>
>>>
>>>
>>> On Thu, 10 Jul 2008 17:46:51 -0400
>>> Matt Jonkman <jonkman at jonkmans.com> wrote:
>>>
>>>> Ya, we do auto update that from shadowserver. I was trying to
>>>> whitelist the freenode servers. If anyone happens to notice one in
>>>> there I haven't whitelisted please let me know.
>>>>
>>>> But ya, this is definitely a bad IP.
>>>>
>>>> Matt
>>>>
>>>> Philipp Bescht wrote:
>>>>> Hello Arthur,
>>>>>
>>>>> I am getting false positives on this sid too, mostly because of
>>>>> irc traffic to irc.freenode.org. I think this list is being
>>>>> automatically compiled from the shadowserver archives, so if there
>>>>> is a botnet c&c channel on freenode for example, the whole IP is
>>>>> being considered 'dangerous'.
>>>>>
>>>>> But when looking at the list of domains resolving to the IP you
>>>>> mentioned, there definetly is something suspicious about that:
>>>>> http://www.robtex.com/ip/216.8.177.23.html
>>>>>
>>>>> I would take a closer look at the system(s) on your network
>>>>> causing this traffic :)
>>>>>
>>>>> Regards,
>>>>> Philipp
>>>>>
>>>>>
>>>>>
>>>>> On Thu, 10 Jul 2008 12:27:26 -0300
>>>>> Arthur Boos Jr <boos at cpd.ufrgs.br> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>>    Since some weeks ago, we started getting many hits on rule
>>>>>> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
>>>>>> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
>>>>>> The related packet is:
>>>>>>
>>>>>> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
>>>>>> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
>>>>>> ******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
>>>>>> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>>>>>>
>>>>>>    I run some antivirus online on a few machines, but I could
>>>>>> not detect any bot infection. Has anyone got false positives
>>>>>> on events hiting that rule ?
>>>>>>
>>>>>>    Thanks,
>>>>>>
>>>>>> Arthur
>>>>>> UFRGS - BR
>>>>>> Universidade Federal do Rio Grande do Sul
>>>>>>