[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23
Arthur Boos Jr
boos at cpd.ufrgs.br
Fri Jul 11 17:22:47 EDT 2008
Hi Andre,
I used procexp, autoruns and tcpview (very nice tools from
ex-sysinternals) and fport, but I couldn't find anything suspicious. :/
Thanks.
Arthur
UFRGS - BR
Universidade Federal do Rio Grande do Sul
Andre Ludwig escreveu:
> You can use process explorer (from ms) to look at the ports used by each
> binary, see if something stands out on that machine.
>
> Andre
>
> On Fri, Jul 11, 2008 at 1:55 PM, Arthur Boos Jr <boos at cpd.ufrgs.br
> <mailto:boos at cpd.ufrgs.br>> wrote:
>
> Hello,
>
> Thanks for the answers! Yes, I run a few more AV online,
> but nothing was detected. With tons of domains resolving to
> that IP, it's possible trigger the rule just loading a malitious
> page. I've found one, when I was googling. Usually, a infected
> computer try to conect to a C&C server at a regular basis,
> am I right ? But the mostly of my systems triggered that sid just
> once (or twice, in one ocasion), so there isn't much traffic
> to see. Perhaps monitoring the DNS queries I can find something
> interesting... Any other ideas ?
>
> PS: Nice that whitelist solution!
>
> Regards,
>
> Arthur
> UFRGS - BR
> Universidade Federal do Rio Grande do Sul
>
> Philipp Bescht escreveu:
> > Apart from freenode ips, there are also other big irc networks
> > included, for example:
> >
> > tux at notebook ~ $ for i in `dig +short irc.undernet.org
> <http://irc.undernet.org>`; do if
> > [ "$(grep $i emerging-botcc.rules)" ]; then if [ ! "$(grep $i
> > emerging-botcc.excluded)" ]; then echo "$i"; fi; fi; done
> > 64.18.128.86 <http://64.18.128.86>
> > 66.186.59.50 <http://66.186.59.50>
> > 69.16.172.40 <http://69.16.172.40>
> > 161.53.178.240 <http://161.53.178.240>
> > 193.109.122.67 <http://193.109.122.67>
> > 195.47.220.2 <http://195.47.220.2>
> > 208.83.20.130 <http://208.83.20.130>
> > 217.168.95.245 <http://217.168.95.245>
> > 38.114.116.5 <http://38.114.116.5>
> >
> > Same for dal.net <http://dal.net>, quakenet and others.
> > Sorry, just found out about the .excluded file. Wonder why i havent
> > seen it before :D
> >
> > Regards,
> > Philipp
> >
> >
> >
> >
> > On Fri, 11 Jul 2008 07:45:24 -0400
> > Matt Jonkman <jonkman at jonkmans.com <mailto:jonkman at jonkmans.com>>
> wrote:
> >
> >> Added those, thanks Philipp.
> >>
> >> Matt
> >>
> >> Philipp Bescht wrote:
> >>> Hi Matt,
> >>>
> >>> Regarding the False Positives on freenode servers:
> >>>
> >>> philipp at desktop ~/et-rules $ for i in `dig +short
> >>> irc.freenode.org <http://irc.freenode.org>`; do l=$(grep $i
> emerging-botcc.rules); if
> >>> [[ $l ]]; then echo `echo $l | cut -d ';' -f 5` $i; fi; done | sort
> >>> sid:2404000 130.239.18.172 <http://130.239.18.172>
> >>> sid:2404000 140.211.166.3 <http://140.211.166.3>
> >>> sid:2404000 154.35.200.44 <http://154.35.200.44>
> >>> sid:2404002 204.11.244.21 <http://204.11.244.21>
> >>> sid:2404003 207.158.1.150 <http://207.158.1.150>
> >>> sid:2404004 209.177.146.34 <http://209.177.146.34>
> >>> sid:2404006 216.155.130.130 <http://216.155.130.130>
> >>> sid:2404008 64.161.254.20 <http://64.161.254.20>
> >>> sid:2404020 89.16.176.16 <http://89.16.176.16>
> >>>
> >>>
> >>> Regards,
> >>> Philipp
> >>>
> >>>
> >>>
> >>> On Thu, 10 Jul 2008 17:46:51 -0400
> >>> Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> >>>
> >>>> Ya, we do auto update that from shadowserver. I was trying to
> >>>> whitelist the freenode servers. If anyone happens to notice one in
> >>>> there I haven't whitelisted please let me know.
> >>>>
> >>>> But ya, this is definitely a bad IP.
> >>>>
> >>>> Matt
> >>>>
> >>>> Philipp Bescht wrote:
> >>>>> Hello Arthur,
> >>>>>
> >>>>> I am getting false positives on this sid too, mostly because of
> >>>>> irc traffic to irc.freenode.org <http://irc.freenode.org>. I
> think this list is being
> >>>>> automatically compiled from the shadowserver archives, so if
> there
> >>>>> is a botnet c&c channel on freenode for example, the whole IP is
> >>>>> being considered 'dangerous'.
> >>>>>
> >>>>> But when looking at the list of domains resolving to the IP you
> >>>>> mentioned, there definetly is something suspicious about that:
> >>>>> http://www.robtex.com/ip/216.8.177.23.html
> >>>>>
> >>>>> I would take a closer look at the system(s) on your network
> >>>>> causing this traffic :)
> >>>>>
> >>>>> Regards,
> >>>>> Philipp
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Thu, 10 Jul 2008 12:27:26 -0300
> >>>>> Arthur Boos Jr <boos at cpd.ufrgs.br <mailto:boos at cpd.ufrgs.br>>
> wrote:
> >>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> Since some weeks ago, we started getting many hits on rule
> >>>>>> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
> >>>>>> with traffic going to 216.8.177.23 <http://216.8.177.23>
> (ports 25, 80 and 443).
> >>>>>> The related packet is:
> >>>>>>
> >>>>>> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 ->
> 216.8.177.23:80 <http://216.8.177.23:80>
> >>>>>> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
> >>>>>> ******S* Seq: 0x74043F2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
> >>>>>> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> >>>>>>
> >>>>>> I run some antivirus online on a few machines, but I could
> >>>>>> not detect any bot infection. Has anyone got false positives
> >>>>>> on events hiting that rule ?
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Arthur
> >>>>>> UFRGS - BR
> >>>>>> Universidade Federal do Rio Grande do Sul
> >>>>>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> <mailto:Emerging-sigs at emergingthreats.net>
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
--
---------------------------------
Ufrgs - CPD
Divisão de Engenharia de Redes
GSTI - Grupo de Segurança em TI
---------------------------------
More information about the Emerging-sigs
mailing list