[Bro] IRC Botnet
CS Lee
geek00l at gmail.com
Sun Jul 16 01:20:15 PDT 2006
Recently I had found this in my bro log, while I'm not much into bro-ids,
can someone shade some lights regarding the irc log contents below, I know
it is the host that connecting to the botnet, but apparently it is not in
clear plain text(hex indeed).
1152142830.931951 #1 message from 'EM[]!~EM at 1.2.3.4' to '#cyberunknown':
\xf7\xf2\xee \xf2\xee \xeb\xe0\
xf2 \xf2\xe0\xec \xed\xe0 \xea\xee\xf0\xe8\xeb
1152142854.966781 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to
'#cyberunknown': \xf3\xf5\xf3
1152142865.018714 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to
'#cyberunknown': irc.chatnet.ru
1152142868.897694 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to
'#cyberunknown': \xe2 \xe4\xe0\xeb\xed\xe
5\xf2 \xef\xf0\xe8\xe2\xe5\xe4\xe5\xf2?
1152142873.336908 #1 message from 'EM[]!~EM at 213.228.120.34' to
'#cyberunknown': \xf1\xea\xee\xeb\xfc\xea\xee \x
ea\xe8\xeb\xee\xe1\xe0\xe8\xf2 \xea\xee\xe4\xe0
Does anyone has similar stuffs in the
logs and would like to share your experience, thanks.
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060716/cdf363d2/attachment.html
More information about the Bro
mailing list