[Bro] IRC Botnet

CS Lee geek00l at gmail.com
Sun Jul 16 01:20:15 PDT 2006


Recently I had found this in my bro log, while I'm not much into bro-ids,
can someone shade some lights regarding the irc log contents below, I know
it is the host that connecting to the botnet, but apparently it is not in
clear plain text(hex indeed).

1152142830.931951 #1 message from 'EM[]!~EM at 1.2.3.4' to '#cyberunknown':
\xf7\xf2\xee \xf2\xee \xeb\xe0\
xf2 \xf2\xe0\xec \xed\xe0 \xea\xee\xf0\xe8\xeb
1152142854.966781 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to
'#cyberunknown': \xf3\xf5\xf3
1152142865.018714 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to
'#cyberunknown': irc.chatnet.ru
1152142868.897694 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to
'#cyberunknown': \xe2 \xe4\xe0\xeb\xed\xe
5\xf2 \xef\xf0\xe8\xe2\xe5\xe4\xe5\xf2?
1152142873.336908 #1 message from 'EM[]!~EM at 213.228.120.34' to
'#cyberunknown': \xf1\xea\xee\xeb\xfc\xea\xee \x
ea\xe8\xeb\xee\xe1\xe0\xe8\xf2 \xea\xee\xe4\xe0

Does anyone has similar stuffs in the
logs and would like to share your experience, thanks.

-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060716/cdf363d2/attachment.html 


More information about the Bro mailing list