[Box-Admins] Fwd: 85.10.195.197 [Fwd: [REF#: 1257]: To whom it may
concern]
Marcus Denker
denker at iam.unibe.ch
Tue Feb 3 08:42:45 UTC 2009
>
Hi,
There is a complaint from undernet about our server.
>
> -------- Original-Nachricht --------
> Betreff: [REF#: 1257]: To whom it may concern
> Datum: Mon, 02 Feb 2009 19:59:03 +0000
> Von: deathy at undernet.org
> Antwort an: deathy at undernet.org
> An: abuse at hetzner.de
>
> Security coordinators,
>
> I found these suspicious looking connections on the Undernet IRC Chat
> Network connecting from a netblock you control. The originating ip(s)
> and undernet server(s) each one was connected to is listed below. The
> destination port they were using is most likely port 6667. Other
> possible
> ports are included between 6000-9999 (a full list of our servers can
> be found at www.undernet.org/servers.php ).
>
> box2!~box at box2.squeakfoundation.org [85.10.195.197] - DIEMEN.NL.EU
>
>
> Please check for a compromise, possible hidden process running and an
> altered process listing.
> Run the updates for your system to close possible exploit holes, and
> send any unusual programs found to info at cyberabuse.org for
> investigation.
>
> We strive to eliminate these abusive connections from our network, but
> simply banning them can only be a temporary solution. We hope to
> work with authorities to achieve our aim of reducing abuse on our
> network, as well as the general internet community.
>
> If you are not familiar with it, IRC is a text based chat
> communication
> medium, details at:
>
> http://www.irc.org/
>
> and our webpage:
>
> www.undernet.org
>
> Time of capture for the affected IP(s) is: Mon, 02 Feb 2009 19:44:05
> +0000
>
> We have assigned an internal reference number 1257
> to this report and it is included in the subject line of
> this e-mail message. We would appreciate your including
> it in the subject line of future correspondence about this
> report. We would really appreciate your cooperation in looking into
> this matter.
>
> Please take into account that most bots used these days are
> either GTbots (used on Windows and which can be found by
> searching for a file named mirc.ini which is normally
> required to run these bots) or emechs (used on linux/unix which
> can be generally found easily by doing a:
> find . -exec grep -l "undernet.org" {} + )
>
> Thank you for your cooperation.
>
> Regards,
>
> Caesar Stoica
> --------------
> Undernet Irc Operator
> www.undernet.org
>
>
--
Marcus Denker -- denker at iam.unibe.ch
http://www.iam.unibe.ch/~denker
More information about the Box-Admins
mailing list