[***] Results from Oinkmaster started Fri Oct 5 00:00:17 2007 [***]
[+++] Added rules: [+++]
2007620 - BLEEDING-EDGE TROJAN Zlob Updating via HTTP (v2)
(bleeding-virus.rules)
2007621 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet login (bleeding-virus.rules)
2007622 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet Response (bleeding-virus.rules)
2007623 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet Commands (bleeding-virus.rules)
2007624 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Response
(bleeding-virus.rules)
2007625 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Commands
(bleeding-virus.rules)
2007626 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Fetch (bleeding-virus.rules)
[///] Modified active rules: [///]
2003302 - BLEEDING-EDGE TROJAN psyBNC IRC Server Connection
(bleeding-virus.rules)
2007568 - BLEEDING-EDGE TROJAN Zlob Updating via HTTP (bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (24):
2003302 || BLEEDING-EDGE TROJAN psyBNC IRC Server Connection ||
url,en.wikipedia.org/wiki/PsyBNC
2007620 || BLEEDING-EDGE TROJAN Zlob Updating via HTTP (v2)
2007621 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet login ||
url,en.wikipedia.org/wiki/IRC_bot
2007622 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet Response ||
url,en.wikipedia.org/wiki/IRC_bot
2007623 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet Commands ||
url,en.wikipedia.org/wiki/IRC_bot
2007624 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet Response ||
url,en.wikipedia.org/wiki/IRC_bot
2007625 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet Commands ||
url,en.wikipedia.org/wiki/IRC_bot
2007626 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet Fetch ||
url,en.wikipedia.org/wiki/IRC_bot
2500517 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (518) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2500518 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (519) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2500519 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (520) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2500520 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (521) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2500521 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (522) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2500522 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (523) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2500523 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (524) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2500524 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic (525) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510517 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (518) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510518 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (519) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510519 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (520) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510520 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (521) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510521 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (522) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510522 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (523) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510523 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (524) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
2510524 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host
Traffic - BLOCKING (525) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
-> Added to bleeding-virus.rules (46):
# by Reg Quinton
# Kaiten is a compiled code DDOS IRCbotnet for Unix/Linux systems. You
will
# find the string "Kaiten wagoraku" in the code ..(or in the strings if
you
# have a compiled version). It's been around since at least 2006,
source can
# be found at many sites.
# See also
# http://isc.sans.org/diary.html?storyid=1127
# http://handlers.dshield.org/pbueno/Steve_malware6.pdf
# http://www.stacksegment.net/wiki/index.php/Linux_Malware_Analysis
# http://ktp.e-isa.com/Viruses/Linux.DDos-Kaiten.htm
# Reg Quinton; 2007/08/30
# Botnet begins by contacting an IRC server (there's some randomization
to
# pick one) and saying (with short nick,ident,user strings..):
# Send(sock,"NICK %s\nUSER %s localhost localhost
:%s\n",nick,ident,user);
# various distinctive responses to commmands implemented by Kaiten
client
# various commmands implemented by Kaiten client, they don't use a :
delimiter
# as others do, it's "[:<server> ]PRIVMSG !<clients> <command> <args>".
I'm
# skipping the server part. I wish there were flowbits that noted that
we have
# an IRC channel going. I don't want to watch everything.
# Pitbull is an IRCbot implemented in Perl since 2007/09/13, code seems
to have
# authors who speak spanish or portugese. Small sample here
# http://www.directadmin.com/forum/showthread.php?p=113720
# Google had a cached version, you might browse around to find others.
# Versions I captured are a little different from one another
(s/space/etx/).
# Code *says* it supports these commands (but versions differ):
#!bot @portscan <ip>
#!bot @nmap <ip> <beginport> <endport>
#!bot @back <ip><port>
#!bot @udpflood <ip> <packet size> <time>
#!bot @tcpflood <ip> <port> <packet size> <time>
#!bot @httpflood <site> <time>
#!bot @linuxhelp
#!bot @rfi <vuln> <dork>
#!bot @system
#!bot @milw0rm
#!bot @logcleaner
#!bot @sendmail <subject> <sender> <recipient> <message>
#!bot @join <#channel>
#!bot @part <#channel>
#!bot @help
#!bot cd tmp for example
#!bot !eval <code= for example :@nickname>
# Reg Quinton; 26-Sept-2007
# seems to be a common prefix in responses with the few I've seen.
# various commmands implemented by Pitbull client as provided above
# distinctive string in page fetch to google, yahoo, lycos, milw0rm,
etc.
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (1):
2003302 || BLEEDING-EDGE TROJAN psyBNC IRC Server Connection
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
