[Box-Admins] Fwd: 85.10.195.197 [Fwd: [REF#: 1257]: To whom it may concern]

deathy at undernet.org deathy at undernet.org
Tue Feb 3 20:04:00 UTC 2009


Hello,

The connection in question was found on a much larger channel filled with 
connections (bouncers and bots) running on compromised servers, most of 
the abuse contacts mailed in the same batch have replied confirming the 
connections were not wanted, nor allowed by the owhers (that's what was 
ment by suspicious connections, since it's rather unlikely that a romanian 
person will get legit access to a foreign server to run a bot/bouncer). I 
apologise for not being able to offer more info, but due to our AUP i am 
under certain restrictions (also, router/server logs are unavailable since 
i'm just an oper, not a server admin).

btw:

box2 is ~box at box2.squeakfoundation.org * box *
box2 using Helsinki.FI.EU.Undernet.org Wireless Hippies - 
http://www.wippies.com/
box2 End of /WHOIS list.

current date and time: 20:02 GMT, 03.02.2009.

best wishes,

Caesar Stoica
--------------
Undernet Irc Operator
www.undernet.org


On Tue, 3 Feb 2009, Ken Causey wrote:

> From the statement 'I found these suspicious looking connections...' I
> would expect to see a bit more detail.  I can only assume 'these' is
> meant to refer to the one line
>
> box2!~box at box2.squeakfoundation.org [85.10.195.197] - DIEMEN.NL.EU
>
> Is DIEMEN.NL.EU meant to be the IRC server to which the connnection was
> made?
>
> As I understand it the connection happened at Mon, 02 Feb 2009 19:44:05
> +0000 but I'm curious about the length of the connection and any other
> detail that might help us identify the activity or person.
>
> As far as I can tell I was the only one on the server at the time and
> and I don't remember doing anything that would have resulted in an IRC
> connection of any kind.  In fact I'm not aware of any IRC software
> installed on the server.
>
> Ken
>
> On Tue, 2009-02-03 at 09:42 +0100, Marcus Denker wrote:
>>>
>>
>> Hi,
>>
>> There is a complaint from undernet about our server.
>>
>>>
>>> -------- Original-Nachricht --------
>>> Betreff: [REF#: 1257]: To whom it may concern
>>> Datum: Mon, 02 Feb 2009 19:59:03 +0000
>>> Von: deathy at undernet.org
>>> Antwort an: deathy at undernet.org
>>> An: abuse at hetzner.de
>>>
>>> Security coordinators,
>>>
>>> I found these suspicious looking connections on the Undernet IRC Chat
>>> Network connecting from a netblock you control. The originating ip(s)
>>> and undernet server(s) each one was connected to is listed below. The
>>> destination port they were using is most likely port 6667. Other
>>> possible
>>> ports are included between 6000-9999 (a full list of our servers can
>>> be found at www.undernet.org/servers.php ).
>>>
>>> box2!~box at box2.squeakfoundation.org [85.10.195.197] - DIEMEN.NL.EU
>>>
>>>
>>> Please check for a compromise, possible hidden process running and an
>>> altered process listing.
>>> Run the updates for your system to close possible exploit holes, and
>>> send any unusual programs found to info at cyberabuse.org for
>>> investigation.
>>>
>>> We strive to eliminate these abusive connections from our network, but
>>> simply banning them can only be a temporary solution.  We hope to
>>> work with authorities to achieve our aim of reducing abuse on our
>>> network, as well as the general internet community.
>>>
>>> If you are not familiar with it, IRC is a text based chat
>>> communication
>>> medium, details at:
>>>
>>> http://www.irc.org/
>>>
>>> and our webpage:
>>>
>>> www.undernet.org
>>>
>>> Time of capture for the affected IP(s) is: Mon, 02 Feb 2009 19:44:05
>>> +0000
>>>
>>> We have assigned an internal reference number 1257
>>> to this report and it is included in the subject line of
>>> this e-mail message.  We would appreciate your including
>>> it in the subject line of future correspondence about this
>>> report. We would really appreciate your cooperation in looking into
>>> this matter.
>>>
>>> Please take into account that most bots used these days are
>>> either GTbots (used on Windows and which can be found by
>>> searching for a file named mirc.ini which is normally
>>> required to run these bots) or emechs (used on linux/unix which
>>> can be generally found easily by doing a:
>>> find . -exec grep -l "undernet.org" {} + )
>>>
>>> Thank you for your cooperation.
>>>
>>> Regards,
>>>
>>> Caesar Stoica
>>> --------------
>>> Undernet Irc Operator
>>> www.undernet.org
>>>
>>>
>>
>> --
>> Marcus Denker  --  denker at iam.unibe.ch
>> http://www.iam.unibe.ch/~denker
>>
>>
>


More information about the Box-Admins mailing list