[Emerging-Sigs] All these have been seen on bot C&C channel.

Matt Jonkman jonkman at jonkmans.com
Thu Mar 13 15:14:23 EST 2008 

These all clients that were infected?

What was the malware type, if you know?

Thanks Jart. Will fold these into the compromised list for 24 hours or so.

Matt

Jart Armin wrote:
> Hi All!
> 
> I've got some logs from compromised server, via dan @ interspace.
> These logs - from eggdrop-alike servers.
> 
> 
> 125.164.201.47
> 132.170.116.171
> 132.170.116.172
> 132.170.116.175
> 132.170.116.184
> 132.170.116.199
> 132.170.116.215
> 132.229.91.22
> 150.187.103.25
> 186-150-151-213.mtulink.net
> 193.142.215.15
> 193.242.108.82
> 193.242.108.83
> 193.242.108.85
> 193.25.197.127
> 193.254.241.203
> 193.254.241.204
> 194.109.193.125
> 194.150.109.26
> 195.225.64.206
> 195.234.171.110
> 195.248.78.13
> 195.70.36.237
> 198.63.40.177
> 200.140.196.124
> 200.38.191.26
> 200.68.98.226
> 201.155.228.218
> 202.172.233.27
> 202.179.7.68
> 202.74.68.167
> 202.74.68.174
> 202.74.68.177
> 204.110.231.76
> 206.212.241.115
> 206.212.244.67
> 208.77.100.123
> 208.77.100.124
> 209.208.11.1
> 209.208.11.10
> 209.208.11.11
> 209.208.11.12
> 209.208.11.13
> 209.208.11.14
> 209.208.11.2
> 209.208.11.3
> 209.208.11.4
> 209.208.11.5
> 209.208.11.6
> 209.208.11.7
> 209.208.11.9
> 209.216.213.6
> 209.216.249.195
> 212.114.10.247
> 212.123.1.52
> 212.43.236.7
> 213.164.245.236
> 213.193.215.57
> 213.203.212.83
> 213.203.212.84
> 213.203.212.85
> 213.203.212.86
> 213.203.212.87
> 213.203.212.88
> 213.203.212.89
> 213.203.212.90
> 213.203.212.91
> 213.203.212.92
> 213.203.212.93
> 213.203.223.60
> 213.218.137.34
> 213.219.170.231.adsl.static.edpnet.net
> 216.162.169.3
> 216.168.96.182
> 216.168.96.186
> 216.168.96.191
> 216.168.96.193
> 216.168.96.75
> 216.187.94.172
> 216.187.94.183
> 216.237.126.178
> 217.220.212.155
> 217.31.61.96
> 217.67.229.3
> 217.67.229.4
> 217.67.229.5
> 217.67.229.6
> 217.67.229.7
> 217.67.229.8
> 220.110.194.170
> 222.124.224.240
> 222.236.44.78
> 22.fe.1343.static.theplanet.com
> 233-80-244-84.vychcechy.adsl-llu.static.bluetone.cz
> 27lima.com
> 41.88.102.38.fndns.net
> 44.197.220.87.dynamic.jazztel.es
> 5356887A.cable.casema.nl
> 62.149.231.70
> 64.34.212.216
> 64.34.215.224
> 64.34.215.38
> 66.132.191.251
> 66.166.165.140
> 66.197.201.197
> 66.197.201.198
> 66.76.108.157
> 66-90-205-142.dyn.grandenetworks.net
> 67.159.26.118
> 67.159.26.148
> 67.159.30.79
> 69.28.206.167
> 69.28.206.186
> 69.90.29.29
> 69.90.29.37
> 69.90.29.39
> 69.90.29.4
> 72.29.87.145
> 72.5.54.119
> 75.125.96.243
> 75.125.96.244
> 75.125.96.246
> 75.125.96.247
> 75.125.96.248
> 75.125.96.249
> 75.125.96.250
> 75.125.96.251
> 77.74.193.107
> 7b.16.1343.static.theplanet.com
> 80.70.113.10
> 82.141.173.75
> 82-217-100-251.cable.quicknet.nl
> 83.145.201.13
> 83.86.136.122
> 85.12.14.5
> 85.214.16.249
> 85.214.88.40
> 86.123.172.110
> 86.123.172.246
> 86.123.174.162
> 86.123.176.142
> 86.123.176.15
> 87.119.195.215
> 87.249.105.136
> 87.249.105.145
> 87.50.201.234
> 88.191.51.156
> 89.107.17.206
> 89-149-227-96.internetserviceteam.com
> 89.17.210.122
> 89.17.210.57
> 89.17.210.58
> 91.151.108.73
> 91.191.161.65
> abbasministries.org
> akvaario.org
> apache2-argon.jurupa.dreamhost.com
> apache2-cabo.jurupa.dreamhost.com
> apache2-grog.jurupa.dreamhost.com
> apache2-kant.jurupa.dreamhost.com
> apache2-linus.jurupa.dreamhost.com
> apache2-moon.jurupa.dreamhost.com
> apache2-pat.jurupa.dreamhost.com
> apache2-quack.jurupa.dreamhost.com
> apache2-rank.jurupa.dreamhost.com
> apache2-whippit.jurupa.dreamhost.com
> as5300-9-058.cnt.entelchile.net
> at72.arbatek.ru
> basic-adamant.jurupa.dreamhost.com
> basic-blow.jurupa.dreamhost.com
> basic-cabo.jurupa.dreamhost.com
> basic-cid.jurupa.dreamhost.com
> basic-echo.jurupa.dreamhost.com
> basic-emu.jurupa.dreamhost.com
> basic-fungi.jurupa.dreamhost.com
> basic-grog.jurupa.dreamhost.com
> basic-heavy.jurupa.dreamhost.com
> basic-ichiban.jurupa.dreamhost.com
> basic-igloo.jurupa.dreamhost.com
> basic-jiffy.jurupa.dreamhost.com
> basic-linus.jurupa.dreamhost.com
> basic-moon.jurupa.dreamhost.com
> basic-twiddle.jurupa.dreamhost.com
> basic-udder.jurupa.dreamhost.com
> basic-vat.jurupa.dreamhost.com
> basic-whippit.jurupa.dreamhost.com
> basic-xenon.jurupa.dreamhost.com
> basic-yak.jurupa.dreamhost.com
> basic-zoo.jurupa.dreamhost.com
> burn.phatservers.com
> c6.ibone.ch
> callcenterflevoland.adsl.iaf.nl
> ce4.conetix.com.au
> chuao.fundacite.arg.gov.ve
> cippp.adnc.com
> cll.memphis.edu
> cp119.agava.net
> craaft.e-max.sk
> da1.cyberserv.nl
> dc224.rackhosting.com
> devs.com.au
> digital-blues.com
> dont.disturb.while.zzz.be
> dyn-86.106.60.201.ph.upcnet.ro
> echo.vmis.nl
> elbe223.server4you.de
> evpcellulardiscounts.com
> f2.f4.354a.static.theplanet.com
> force.hxh.info
> frontpage-argon.jurupa.dreamhost.com
> gep2.buildtrade.hu
> graphicinterfacedesign.com
> guardn.de
> hangar17.securesites.net
> hazhistoria.info
> host02.offisoft.dk
> host70-231-149-62.serverdedicati.aruba.it
> hosting6.nexicom.net
> housing02.world4you.com
> ilearnatlunch.org
> ingoalnetwork.de
> investamar.com.ec
> ip-208-97-151-231.dreamhost.com
> ip-208-97-151-99.dreamhost.com
> joda.superhosting.bg
> jurupa.dreamhost.com
> kanal-28.de
> kcomp.net
> linux17.grserver.gr
> mail.caracaswebsite.com
> mail.f-lix.net
> mail.smcmetal.com
> main.pserve.hu
> mm-marketing.de
> mysmsdiscount.com
> nccentral.com
> niler.protocol-systems.com
> nothing.can.undo.it
> ns1.harfdesign.com
> ns1.hostforfun.com
> ns1.intak.pl
> ns1.traffichosting.nl
> ns2.hostforfun.com
> ns2.hxh.info
> ns2.miinetserver.com.ar
> ns2.traffichosting.nl
> ns6.i-mecca.net
> ns7.i-mecca.net
> ns.onlineweb.hu
> orestis.teiion.gr
> palas.tircis.net
> penelope.teiion.gr
> plasmaedge.com
> plesk4.spoox.eu
> premiercellulardiscounts.com
> raptor.csd.auth.gr
> rrcs-208-125-112-243.nys.biz.rr.com
> rrcs-24-242-178-226.sw.biz.rr.com
> s15278919.onlinehome-server.info
> s15281879.onlinehome-server.info
> s5591e8ed.adsl.wanadoo.nl
> sb2.meta13.com
> schweriner-sporttermine.de
> sd-9394.dedibox.fr
> sercosys4.de
> server06.citus.nl
> server11.web4a.de
> server272.com
> server.q8young.org
> server-staupendahl.de
> server.webgood.info
> setup.kochdata.de
> shopmaster.com.au
> sites.croix-rouge.fr
> sru00-1.servers-r-us.com
> srv011.infobox.ru
> srv195061.webreus.nl
> static.88-198-112-10.clients.your-server.de
> static.88-198-112-11.clients.your-server.de
> static.88-198-112-3.clients.your-server.de
> static.88-198-112-4.clients.your-server.de
> static.88-198-112-5.clients.your-server.de
> static.88-198-112-6.clients.your-server.de
> static.88-198-112-7.clients.your-server.de
> static.88-198-112-8.clients.your-server.de
> static.88-198-112-9.clients.your-server.de
> st-clv-1.uevora.pt
> store.smokeyamps.com
> sulley.dm.ucf.edu
> sva70.sva.psu.edu
> taximauritius.mu
> theta.ibone.ch
> tkb92.jj-net.jp
> todesmut.de
> tspaderborn.de
> uran.elbud.krakow.pl
> v1322.ncsrv.de
> vrlube.com
> web12sbp.jronline.nl
> web.bezant.ru
> wh-05.cybernet.ch
> wpc0018.amenworld.com
> ws01.webspacesolutions.com
> www127.celeonet.fr
> www.foodservicedisplays.com
> www.mosquality.ru
> www.nbucherag.com
> www.rosetteprinting.com
> www.secure.chastitylifestyle.com
> www.sfdm.ucf.edu
> www.teastart.idv.tw
> www.walkermethodist.org
> 
> Jart
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list