Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Destructive botnet originating from Japan

  • From: Barrett G. Lyon
  • Date: Fri Dec 23 14:57:18 2005

Prolexic is currently mitigating a 6+ Gbps (12+ Million PPS) DDoS attack that is orginitating from an IRC based botnet server in Japan.  The bot software itself runs on GLIBC_2.1.3, GLIBC_2.1, and GLIBC_2.0 compatible x86 Linux boxen.  The bot software is about 28.3 KB, it has a lot of capabilities including, HTTP connection, TCP floods, and and broken SYN flooding.  We are not sure of the current infection method but it must be a common Redhat Linux vulnerability.  We have contacted the network that hosts the IRC controller server server, however, they do not speak english and we have yet to locate a translator. 

The botnet controller server is hard coded in the botnet binary at: 210.170.60.2/32 (www.vectant.co.jp):

.e....'.:127.0.0.1 001 nmdpokdhr :Welcome to the Internet Relay Network nmdpokdhr!~rjhriafit@cpe-70-116-65-96.houston.res.rr.com
:127.0.0.1 002 nmdpokdhr :Your host is 127.0.0.1, running version 2.10.3p7
:127.0.0.1 003 nmdpokdhr :This server was created Sat May 29 2004 at 06:15:50 JST
:127.0.0.1 004 nmdpokdhr 127.0.0.1 2.10.3p7 aoOirw abeiIklmnoOpqrstv
:127.0.0.1 251 nmdpokdhr :There are 553 users and 0 services on 1 servers
:127.0.0.1 252 nmdpokdhr 1 :operators online
:127.0.0.1 253 nmdpokdhr 23 :unknown connections
:127.0.0.1 254 nmdpokdhr 10 :channels formed

Please null route that IP on every network you may have access to, that will disable the ability for the bots to get updates and act on behalf of the attacker.  The connection port is TCP 3982 (IRC based bot).

We have been running heavy stats collection on the attack, the Prolexic SOC has compiled the enclosed prefix list as malicious and non-spoofed addresses, there are many more, however the list below is some of the highest traffic generators. 

Happy hunting and feel free to email me off-list if you would like more information on the attack and the botnet software itself.

Thanks,

-Barrett

--
Barrett Lyon
CTO and founder
Prolexic Technologies, Inc




8.6.223.55/32;
12.223.37.219/32;
59.120.167.58/32;
60.248.172.146/32;
61.9.146.3/32;
61.78.39.236/32;
61.82.130.84/32;
61.109.250.114/32;
61.111.254.95/32;
61.129.70.191/32;
61.145.116.6/32;
61.145.116.140/32;
62.4.71.20/32;
62.4.81.200/32;
62.4.81.205/32;
62.5.235.130/32;
62.23.176.113/32;
62.23.209.248/32;
62.23.221.77/32;
62.39.106.10/32;
62.40.68.9/32;
62.40.88.3/32;
62.44.12.220/32;
62.67.209.30/32;
62.67.228.12/32;
62.73.162.206/32;
62.73.184.13/32;
62.75.138.85/32;
62.75.242.83/32;
62.75.244.21/32;
62.79.147.151/32;
62.93.242.6/32;
62.99.206.202/32;
62.116.124.102/32;
62.121.0.200/32;
62.121.133.93/32;
62.121.136.6/32;
62.123.155.13/32;
62.128.242.9/32;
62.148.166.220/32;
62.149.0.43/32;
62.149.227.82/32;
62.153.106.245/32;
62.166.18.36/32;
62.168.63.139/32;
62.168.116.66/32;
62.193.194.93/32;
62.193.194.163/32;
62.193.203.73/32;
62.193.203.174/32;
62.193.224.36/32;
62.193.225.83/32;
62.193.225.104/32;
62.193.225.115/32;
62.193.230.43/32;
62.193.236.124/32;
62.212.92.74/32;
62.218.123.154/32;
62.233.173.134/32;
62.233.229.164/32;
62.241.41.84/32;
62.244.209.174/32;
63.240.62.101/32;
63.246.10.165/32;
63.247.87.186/32;
63.247.141.200/32;
64.5.53.103/32;
64.21.152.2/32;
64.27.93.18/32;
64.27.109.170/32;
64.34.162.6/32;
64.34.166.50/32;
64.34.178.19/32;
64.34.200.182/32;
64.38.0.186/32;
64.40.110.217/32;
64.40.111.242/32;
64.151.73.204/32;
64.202.105.80/32;
64.203.136.14/32;
64.207.133.47/32;
64.239.115.121/32;
64.239.130.69/32;
65.39.145.5/32;
65.39.218.225/32;
65.164.218.248/32;
65.254.62.138/32;
66.34.5.229/32;
66.84.73.68/32;
66.90.70.70/32;
66.112.161.145/32;
66.132.249.67/32;
66.135.37.39/32;
66.135.39.28/32;
66.139.75.5/32;
66.147.224.141/32;
66.150.198.66/32;
66.151.7.65/32;
66.159.18.157/32;
66.187.137.76/32;
66.214.98.101/32;
66.227.123.33/32;
66.232.145.17/32;
66.246.149.2/32;
67.15.2.46/32;
67.15.12.66/32;
67.18.11.66/32;
67.18.99.18/32;
67.18.114.10/32;
67.19.50.68/32;
67.19.91.170/32;
67.19.221.50/32;
67.98.11.150/32;
68.96.19.114/32;
68.178.166.1/32;
69.0.243.95/32;
69.10.146.12/32;
69.10.152.66/32;
69.12.167.160/32;
69.20.12.82/32;
69.20.61.27/32;
69.22.164.17/32;
69.41.231.186/32;
69.55.225.120/32;
69.56.182.194/32;
69.60.110.226/32;
69.60.121.224/32;
69.64.34.77/32;
69.64.36.111/32;
69.64.38.73/32;
69.64.49.141/32;
69.64.191.40/32;
69.65.19.206/32;
69.93.34.106/32;
70.84.20.228/32;
70.84.58.4/32;
70.84.106.17/32;
70.86.13.138/32;
70.86.93.66/32;
70.168.49.10/32;
72.4.161.75/32;
72.9.224.146/32;
72.9.241.114/32;
72.22.64.228/32;
72.29.71.195/32;
72.36.212.218/32;
80.22.52.122/32;
80.51.134.2/32;
80.55.41.42/32;
80.58.34.109/32;
80.66.32.41/32;
80.67.19.81/32;
80.68.90.53/32;
80.69.46.165/32;
80.73.225.9/32;
80.83.176.40/32;
80.188.65.70/32;
80.199.245.190/32;
80.202.109.45/32;
80.235.110.52/32;
80.237.146.47/32;
80.237.152.61/32;
80.237.203.105/32;
80.237.204.72/32;
80.237.208.12/32;
80.239.137.200/32;
80.239.198.40/32;
80.247.227.130/32;
80.253.108.80/32;
81.0.233.80/32;
81.0.234.33/32;
81.2.209.46/32;
81.16.99.30/32;
81.17.45.171/32;
81.29.96.152/32;
81.31.2.234/32;
81.90.160.157/32;
81.91.64.45/32;
81.95.106.15/32;
81.169.149.127/32;
81.169.156.235/32;
81.169.158.167/32;
81.169.166.30/32;
81.169.171.48/32;
81.169.184.73/32;
81.174.50.142/32;
81.176.65.146/32;
81.177.4.7/32;
81.216.82.22/32;
81.222.134.11/32;
81.222.134.21/32;
82.68.160.226/32;
82.76.68.206/32;
82.88.156.153/32;
82.98.131.130/32;
82.113.60.76/32;
82.142.64.149/32;
82.144.5.5/32;
82.149.226.13/32;
82.149.245.5/32;
82.165.8.190/32;
82.165.29.79/32;
82.165.29.160/32;
82.165.34.122/32;
82.165.177.137/32;
82.177.42.29/32;
82.192.166.195/32;
82.202.115.4/32;
82.212.221.55/32;
83.17.104.202/32;
83.17.181.114/32;
83.18.226.214/32;
83.64.161.170/32;
83.64.231.242/32;
83.72.0.197/32;
83.90.91.228/32;
83.98.150.60/32;
83.103.63.187/32;
83.140.86.66/32;
83.149.125.50/32;
83.240.154.200/32;
83.246.118.19/32;
84.47.129.55/32;
84.180.73.137/32;
84.180.74.25/32;
84.180.103.95/32;
84.180.126.88/32;
84.244.146.80/32;
84.245.140.80/32;
84.252.139.206/32;
85.17.9.74/32;
85.18.11.66/32;
85.111.0.20/32;
85.124.188.170/32;
85.190.12.145/32;
85.233.230.3/32;
128.105.45.101/32;
129.175.56.150/32;
130.39.198.65/32;
130.79.83.240/32;
130.94.230.27/32;
130.225.246.128/32;
130.228.216.4/32;
131.96.183.4/32;
131.103.251.96/32;
131.174.93.233/32;
134.102.79.79/32;
134.129.212.25/32;
134.169.6.37/32;
138.26.238.9/32;
139.179.14.47/32;
140.122.65.149/32;
141.84.155.10/32;
147.83.205.51/32;
147.229.88.129/32;
150.128.98.28/32;
150.128.193.60/32;
150.254.30.30/32;
151.1.32.221/32;
151.1.244.123/32;
152.78.192.105/32;
156.17.68.5/32;
158.36.86.170/32;
163.20.30.3/32;
163.23.66.1/32;
168.209.98.35/32;
193.10.222.220/32;
193.23.113.130/32;
193.28.183.41/32;
193.77.157.60/32;
193.89.248.3/32;
193.109.91.77/32;
193.109.138.8/32;
193.109.252.14/32;
193.110.91.2/32;
193.111.95.102/32;
193.111.95.182/32;
193.111.95.222/32;
193.121.149.70/32;
193.193.255.76/32;
193.201.54.102/32;
193.202.83.31/32;
193.202.83.124/32;
193.202.89.89/32;
193.224.41.14/32;
193.225.21.50/32;
193.226.13.210/32;
193.226.251.229/32;
193.231.80.194/32;
193.238.16.78/32;
193.246.253.28/32;
194.1.215.253/32;
194.25.133.2/32;
194.63.248.42/32;
194.63.248.43/32;
194.63.250.70/32;
194.85.172.134/32;
194.87.149.34/32;
194.94.36.112/32;
194.105.237.70/32;
194.116.187.9/32;
194.141.4.7/32;
194.146.225.213/32;
194.146.226.63/32;
194.150.224.102/32;
194.150.246.4/32;
194.176.173.240/32;
194.183.237.135/32;
194.190.223.164/32;
194.204.11.65/32;
194.206.89.85/32;
194.206.123.226/32;
194.213.194.42/32;
194.224.162.123/32;
194.229.164.17/32;
194.255.115.162/32;
195.13.58.95/32;
195.14.0.5/32;
195.24.121.65/32;
195.50.196.195/32;
195.52.219.101/32;
195.56.65.183/32;
195.56.234.78/32;
195.58.161.54/32;
195.65.63.74/32;
195.70.36.11/32;
195.70.36.75/32;
195.70.36.149/32;
195.70.37.171/32;
195.70.50.53/32;
195.72.0.4/32;
195.90.247.145/32;
195.122.196.239/32;
195.129.104.96/32;
195.140.142.177/32;
195.141.66.50/32;
195.154.193.51/32;
195.185.214.7/32;
195.186.64.179/32;
195.186.64.183/32;
195.186.64.211/32;
195.186.65.152/32;
195.186.65.157/32;
195.207.138.113/32;
195.228.75.35/32;
195.228.75.72/32;
195.228.75.111/32;
195.228.75.213/32;
195.228.156.68/32;
195.228.157.211/32;
195.228.254.6/32;
195.238.252.4/32;
195.242.117.9/32;
196.25.198.7/32;
196.30.79.74/32;
198.63.48.160/32;
198.87.99.130/32;
199.88.139.30/32;
200.27.201.214/32;
200.29.21.90/32;
200.30.71.34/32;
200.62.55.103/32;
200.69.196.58/32;
200.80.42.107/32;
200.80.42.130/32;
200.80.42.140/32;
200.97.11.5/32;
200.211.73.57/32;
200.241.95.2/32;
202.27.216.45/32;
202.55.152.3/32;
202.70.111.37/32;
202.108.59.135/32;
202.136.168.37/32;
202.182.64.137/32;
202.222.28.63/32;
202.222.30.141/32;
203.17.208.38/32;
203.22.23.158/32;
203.71.115.94/32;
203.79.72.126/32;
203.101.80.60/32;
203.130.242.69/32;
203.161.254.18/32;
203.166.138.154/32;
203.194.159.193/32;
203.194.196.211/32;
203.194.198.200/32;
203.194.209.85/32;
203.194.240.135/32;
204.3.221.140/32;
204.141.0.40/32;
204.209.121.169/32;
205.134.254.252/32;
205.200.160.250/32;
205.208.248.45/32;
205.218.64.140/32;
205.234.196.212/32;
206.123.104.116/32;
206.123.110.39/32;
206.159.40.6/32;
206.225.93.88/32;
207.99.35.82/32;
207.142.135.62/32;
207.164.133.174/32;
207.230.229.192/32;
207.245.113.66/32;
208.55.199.75/32;
208.179.209.4/32;
208.181.144.80/32;
208.220.169.4/32;
209.1.163.22/32;
209.11.250.3/32;
209.25.148.218/32;
209.33.198.216/32;
209.46.21.5/32;
209.126.250.2/32;
209.130.104.254/32;
209.134.25.200/32;
209.135.140.121/32;
209.182.0.151/32;
209.212.110.211/32;
209.216.209.5/32;
209.238.150.74/32;
209.250.83.7/32;
210.51.191.138/32;
210.66.72.29/32;
210.80.180.119/32;
210.104.247.130/32;
210.118.194.56/32;
210.170.60.2/32;
211.34.189.3/32;
211.43.212.17/32;
211.62.35.151/32;
211.200.28.6/32;
211.229.208.157/32;
211.255.23.41/32;
212.7.192.58/32;
212.9.255.242/32;
212.12.38.166/32;
212.18.63.148/32;
212.19.146.106/32;
212.20.196.86/32;
212.25.170.50/32;
212.25.170.52/32;
212.25.170.80/32;
212.33.133.75/32;
212.37.192.57/32;
212.37.214.10/32;
212.37.214.33/32;
212.47.6.132/32;
212.51.192.17/32;
212.58.137.10/32;
212.60.217.228/32;
212.63.130.170/32;
212.63.132.54/32;
212.66.8.3/32;
212.69.194.222/32;
212.69.208.21/32;
212.79.114.20/32;
212.84.188.34/32;
212.91.225.58/32;
212.92.15.2/32;
212.95.67.36/32;
212.96.168.169/32;
212.97.1.111/32;
212.105.63.2/32;
212.108.197.11/32;
212.110.119.85/32;
212.112.168.149/32;
212.112.227.234/32;
212.112.238.36/32;
212.113.192.245/32;
212.122.203.11/32;
212.160.139.242/32;
212.160.144.130/32;
212.160.233.90/32;
212.183.164.38/32;
212.201.68.131/32;
212.202.151.189/32;
212.204.244.31/32;
212.214.165.226/32;
212.217.13.148/32;
212.227.63.118/32;
212.227.81.215/32;
212.227.90.45/32;
212.241.125.69/32;
212.244.28.242/32;
213.11.2.18/32;
213.22.100.53/32;
213.56.31.113/32;
213.76.147.98/32;
213.76.147.115/32;
213.80.21.2/32;
213.81.186.20/32;
213.81.187.178/32;
213.92.95.122/32;
213.130.39.106/32;
213.130.129.113/32;
213.144.76.55/32;
213.149.238.13/32;
213.152.192.242/32;
213.157.185.162/32;
213.157.239.181/32;
213.158.233.142/32;
213.160.188.77/32;
213.174.191.138/32;
213.180.20.3/32;
213.180.28.70/32;
213.180.31.218/32;
213.186.34.134/32;
213.186.35.170/32;
213.186.38.84/32;
213.186.38.176/32;
213.186.39.182/32;
213.186.40.126/32;
213.186.46.71/32;
213.186.59.146/32;
213.186.60.212/32;
213.186.61.127/32;
213.188.131.102/32;
213.193.228.200/32;
213.193.230.201/32;
213.193.246.25/32;
213.194.122.58/32;
213.197.29.20/32;
213.197.151.2/32;
213.198.17.49/32;
213.198.18.45/32;
213.198.19.102/32;
213.198.19.183/32;
213.198.46.19/32;
213.198.47.226/32;
213.198.67.129/32;
213.198.67.237/32;
213.203.141.24/32;
213.203.220.12/32;
213.204.1.70/32;
213.206.91.40/32;
213.208.135.3/32;
213.209.130.253/32;
213.215.80.222/32;
213.218.133.179/32;
213.219.161.168/32;
213.219.163.8/32;
213.219.163.80/32;
213.219.184.179/32;
213.219.186.64/32;
213.226.248.10/32;
213.239.151.8/32;
213.239.164.107/32;
213.239.193.92/32;
213.239.201.89/32;
213.239.213.73/32;
213.239.220.177/32;
213.241.84.66/32;
213.246.39.107/32;
213.246.62.10/32;
213.246.63.158/32;
213.251.132.42/32;
213.251.132.191/32;
213.251.133.72/32;
213.251.145.173/32;
213.251.160.23/32;
213.251.161.129/32;
213.251.162.66/32;
213.251.162.129/32;
213.251.164.110/32;
216.17.103.67/32;
216.38.218.186/32;
216.67.251.27/32;
216.69.168.220/32;
216.98.54.71/32;
216.117.18.4/32;
216.121.224.139/32;
216.130.161.170/32;
216.130.161.174/32;
216.150.20.172/32;
216.171.144.85/32;
216.185.128.200/32;
216.193.228.30/32;
216.210.143.7/32;
216.237.120.114/32;
216.243.184.233/32;
217.8.185.222/32;
217.11.237.34/32;
217.11.251.233/32;
217.12.223.2/32;
217.13.82.82/32;
217.16.26.175/32;
217.19.0.5/32;
217.21.81.1/32;
217.24.223.16/32;
217.26.52.16/32;
217.64.202.205/32;
217.67.26.165/32;
217.68.161.199/32;
217.69.32.50/32;
217.70.32.74/32;
217.70.32.89/32;
217.71.208.154/32;
217.71.210.179/32;
217.71.214.98/32;
217.74.173.233/32;
217.97.243.193/32;
217.98.56.2/32;
217.98.61.3/32;
217.112.88.245/32;
217.113.62.25/32;
217.116.3.75/32;
217.117.216.134/32;
217.146.139.241/32;
217.150.241.177/32;
217.151.104.4/32;
217.153.146.158/32;
217.154.108.226/32;
217.160.72.129/32;
217.160.75.170/32;
217.160.76.167/32;
217.160.181.175/32;
217.160.185.105/32;
217.160.200.95/32;
217.160.219.86/32;
217.160.240.159/32;
217.168.208.21/32;
217.172.174.208/32;
217.173.157.65/32;
217.194.64.5/32;
217.198.149.153/32;
217.206.220.136/32;
218.38.34.196/32;
218.38.243.5/32;
218.144.240.70/32;
218.145.53.166/32;
218.214.194.244/32;
218.237.65.30/32;
219.232.112.100/32;
219.240.39.143/32;
220.95.231.150/32;
221.139.50.151/32;
222.122.13.53/32;
222.236.44.24/32;




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.