[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Botnet is back, and some info FYI.
From: BahdKo <bahdko () erols ! com>
Date: 2005-01-06 12:57:01
Message-ID: 41DD359D.8070304 () erols ! com
[Download RAW message or body]
Hi everyone,
I wanted to let you know how this worked out.
The packets that were coming into my network stopped for a few days, and then \
restarted. This time, I was ready with netcat. I had netcat listen on port 3127 and \
grabbed the payload from a couple of connections. It looks like the bots are using a \
utility from the www.steelbytes.com website ("port tunnel" maybe), and when Norton \
Antivirus looked at the file, it identified it as being related to or otherwise \
infected with Bloodhound.Mydoom.Cli. I have the contents from one of the tcp sessions \
up at http://www.sbbsnet.net/netcatfile.gz, if anyone wants to see it. This file may \
contain the actual virus.
Regards,
--Laura
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic