a list of hosts in a RPC BOTNET, mostly 209.x.x.x,
I've tried contacting abuse departments of several of these isps and none of them seem to care, so I figured I would post the info here, and maybe someone will let them know, the biggest offender is atlantech. These are all hosts that have been compromised by the same person, they're being used to SYN flood 65.110.34.100 If you want to see this glorious channel for your self its called #!LPOL! on Undernet. Basically the way this works is your box gets attacked, then it sits on this irc channel and waits for commands, in this case the command is !SYN 65.110.34 1000 6667 9999 -s Anyways here is the list, and every 30 seconds or so 2 or 3 more jump into this room.. the botnet is growing! #!LPOL! Jessica74 H Peter90@adsl-209-204-181-32.sonic.net :3 Jessica743071 #!LPOL! Claire272 H ~Claire272@80-192-182-73.cable.ubr05.wi.blueyonder.co.uk #!LPOL! Sophia554 H ~Sophia554@209.195.200.6 :3 Sophia554325 #!LPOL! Chloe9013 H Karolina80@209.202.78.152 :3 Chloe901312 #!LPOL! Sydney542 H Mariah0494@209.191.9.227 :3 Sydney542199 #!LPOL! Elsa12423 H Angelina42@15.shnt4.xdsl.nauticom.net :3 Elsa124230 #!LPOL! Minki7099 H Zoe756815@209.194.190.16 :3 Minki709990 #!LPOL! Makayla57 H Natalie572@209.195.218.54 :3 Makayla574543 #!LPOL! Leslie525 H Svala28188@pppoe-64-91-70-20.rb.lax.centurytel.net :3 Leslie525606 #!LPOL! Autumn319 H Grace99989@AC9F6DA8.ipt.aol.com :3 Autumn319583 #!LPOL! Samantha3 H Autumn9932@host25.brooksml-2.cust.sover.net :3 Samantha394828 #!LPOL! Yamilla15 H Claire4282@host26.brooksml-2.cust.sover.net :3 Yamilla150205 #!LPOL! Grace2018 H Adriana488@8.svnf1.xdsl.nauticom.net :3 Grace201892 #!LPOL! Lujan7794 H Josie11923@a5.c3bed1.client.atlantech.net :3 Lujan779454 #!LPOL! Minki7888 H Victoria72@ep190.ips.PaulBunyan.net :3 Minki788839 #!LPOL! Briana185 H Alyssa5638@209.205.172.43 :3 Briana185975 #!LPOL! Angela274 H Laura15269@host33.brooksml-2.cust.sover.net :3 Angela274842 #!LPOL! Anna79907 H Madeline32@user-101.city.urbana.il.us :3 Anna799072 #!LPOL! Sung42146 H ~Sung42146@216.13.67.57 :3 Sung421466 #!LPOL! Estella68 H Daniela968@209.198.126.76 :3 Estella680044 #!LPOL! Jenna5293 H Adriana023@209.202.78.179 :3 Jenna529394 #!LPOL! Courtney6 H Chloe43907@209.190.200.152 :3 Courtney697581 #!LPOL! Caroline5 H Melissa162@d-191-144-nospr3.i-55.com :3 Caroline527031 #!LPOL! Shannon50 H ~Shannon50@209.201.28.156 :3 Shannon505552 #!LPOL! Beyonce82 H Olivia5920@209.189.232.237 :3 Beyonce828929 #!LPOL! Kelsey198 H Alyssa5678@209.203.75.134 :3 Kelsey198278 #!LPOL! Nicole203 H Julia74311@209.189.250.214 :3 Nicole203361 #!LPOL! Jasmine27 H Andrea3792@dsl-132-ndcr2.i-55.com :3 Jasmine270357 #!LPOL! Niki68912 H Grace06891@9.e1bed1.client.atlantech.net :3 Niki689129 #!LPOL! Bailey427 H ~Bailey427@d3.e8bed1.client.atlantech.net :3 Bailey427581 #!LPOL! Emily9352 H Morena9837@a4.e3bed1.client.atlantech.net :3 Emily935216 #!LPOL! Nicole893 H Isabella19@pc66.cbk.gov.kw :3 Nicole893482 #!LPOL! Hannah294 H ~Hannah294@209.189.244.252 :3 Hannah294622 #!LPOL! Savannah7 H Sierra3410@d-174-51-nospr3.i-55.com :3 Savannah707812 #!LPOL! Marissa29 H ~Marissa29@host210.terransolutions.com :3 Marissa298910 #!LPOL! Marissa89 H Laura07290@www.bdrtransport.com :3 Marissa898535 #!LPOL! Shakira76 H user14@209.202.78.118 :3 Shakira762665 #!LPOL! Jenna8438 H ~Jenna8438@d-173-32-nospr2.i-55.com :3 Jenna843871 #!LPOL! Ashley377 H Faith87547@19.crcr6.xdsl.nauticom.net :3 Ashley377799 #!LPOL! Andrea434 H Elizabeth9@209.202.78.59 :3 Andrea434270 #!LPOL! Jessica49 H Yamilla634@cp209-202-78-157.cp.telus.net :3 Jessica494079 #!LPOL! Caitlin83 H Mackenzie6@5a.e1bed1.client.atlantech.net :3 Caitlin835383 #!LPOL! Denise777 H Molly48369@df.ebbed1.client.atlantech.net :3 Denise777131 #!LPOL! Nicole948 H Aaliyah253@209.183.203.7 :3 Nicole948345 #!LPOL! Haley0390 H Leslie5962@b5.e2bed1.client.atlantech.net :3 Haley039010 #!LPOL! Samantha1 H Lauren9830@209.178.193.220 :3 Samantha151353 #!LPOL! Niki13026 H Kimberly97@a7.c8bed1.client.atlantech.net :3 Niki130268 I hope this isn't off topic. -Drew
Someone has changed the channel topic to "CLOSED, Thanks for the post to NANOG :-(" But I don't see hosts being k-lined - I imagine if IRCops took an interest in this they'd be lopping off heads. The controlling node for this problem seems to be: spaley spale@le.seul.ircop.a.cul.nu But the forward lookup on the name leads to RFC 1918 space. The nice folks in #hack seem to have taken an interest in this problem ... perhaps they have some secret t3kn33k for dealing with such things. ~I've tried contacting abuse departments of several of these isps and none of them seem ~to care, so I figured I would post the info ~here, and maybe someone will let them know, the biggest offender is atlantech. These ~are all hosts that have been compromised by ~the same person, they're being used to SYN flood 65.110.34.100 ~If you want to see this glorious channel for your self its called #!LPOL! on Undernet.
Pascal Gloor (pascal.gloor@spale.com) wrote:
The controlling node for this problem seems to be:
spaley spale@le.seul.ircop.a.cul.nu
This is me, and I blocked the channel. I'm part of the Abuse-Exploit Term of Undernet and an Undernet Administrator. I am, for sure, not the originator of those trojans!
Hi Pascal, Hi Nanog, i remember that i saw an old cartoon on userfriendly. the 31337 way is: !SYN 127.0.0.1 let them SYN off their own network and repeat it until it stops. it does not harm ANY resources, except the infected hosts. just my .2 cents --jan -- Jan Czmok, Network Engineering & Support, Global Access Telecomm, Inc. Ph.: +49 69 299896-35 - fax: +49 69 299896-40 - sip:13129*522@inoc-dba.pch.net
On Wed, Aug 06, 2003 at 10:37:43AM -0500, neal rauhauser 402-301-9555 wrote:
Someone has changed the channel topic to "CLOSED, Thanks for the post to NANOG :-("
But I don't see hosts being k-lined - I imagine if IRCops took an interest in this they'd be lopping off heads.
Lopping off whose heads? Who exactly would you K: line? The people who own those machines who have no idea they even have a process connecting to IRC? Or thousands of K:lines for trojans on dynamic IPs? Not sure how either approach would really do anything useful, I guess that Undernet will just render the channel unusable in the hope that whoever is responsible will then be unable to gather/use their trojans. Unfortunately they will now just update their trojan to connect to some other place, and start redistributing.. all chances of doing further tracing of who is responsible probably ended with this being reported in public here on nanog, and I guess that's why the topic has a ":(" in it.
Thanks for the information. The Undernet Abuse Exploit Team will take care of this channel. But please next time, mail abuse@undernet.org instead of a public mailing list. Simply just to avoid script kiddies reading nanog to use the trojans in the mean time. Thanks, Pascal
When looking at IRC and chat networks in general you have to look at them from the internet since the attacks are launched from the internet outside of any irc. The originators of the attacks use irc as a front to distract the investigators effort to find their real points of origin. In the past I have stated circa 1998 - 2000 time frame, that ISP's that fail to address the issue should be held liable for damages sustained by other parties that fail to terminate clients for AUP violations, where there is conclusive overwhelming proof as to the source of the attack, (point of origin). Drew Weaver <drew.weaver@thenap.com> wrote: I've tried contacting abuse departments of several of these isps and none of them seem to care, so I figured I would post the info here, and maybe someone will let them know, the biggest offender is atlantech. These are all hosts that have been compromised by the same person, they're being used to SYN flood 65.110.34.100 If you want to see this glorious channel for your self its called #!LPOL! on Undernet. Basically the way this works is your box gets attacked, then it sits on this irc channel and waits for commands, in this case the command is !SYN 65.110.34 1000 6667 9999 -s Anyways here is the list, and every 30 seconds or so 2 or 3 more jump into this room.. the botnet is growing! #!LPOL! Jessica74 H Peter90@adsl-209-204-181-32.sonic.net :3 Jessica743071 #!LPOL! Claire272 H ~Claire272@80-192-182-73.cable.ubr05.wi.blueyonder.co.uk #!LPOL! Sophia554 H ~Sophia554@209.195.200.6 :3 Sophia554325 #!LPOL! Chloe9013 H Karolina80@209.202.78.152 :3 Chloe901312 #!LPOL! Sydney542 H Mariah0494@209.191.9.227 :3 Sydney542199 #!LPOL! Elsa12423 H Angelina42@15.shnt4.xdsl.nauticom.net :3 Elsa124230 #!LPOL! Minki7099 H Zoe756815@209.194.190.16 :3 Minki709990 #!LPOL! Makayla57 H Natalie572@209.195.218.54 :3 Makayla574543 #!LPOL! Leslie525 H Svala28188@pppoe-64-91-70-20.rb.lax.centurytel.net :3 Leslie525606 #!LPOL! Autumn319 H Grace99989@AC9F6DA8.ipt.aol.com :3 Autumn319583 #!LPOL! Samantha3 H Autumn9932@host25.brooksml-2.cust.sover.net :3 Samantha394828 #!LPOL! Yamilla15 H Claire4282@host26.brooksml-2.cust.sover.net :3 Yamilla150205 #!LPOL! Grace2018 H Adriana488@8.svnf1.xdsl.nauticom.net :3 Grace201892 #!LPOL! Lujan7794 H Josie11923@a5.c3bed1.client.atlantech.net :3 Lujan779454 #!LPOL! Minki7888 H Victoria72@ep190.ips.PaulBunyan.net :3 Minki788839 #!LPOL! Briana185 H Alyssa5638@209.205.172.43 :3 Briana185975 #!LPOL! Angela274 H Laura15269@host33.brooksml-2.cust.sover.net :3 Angela274842 #!LPOL! Anna79907 H Madeline32@user-101.city.urbana.il.us :3 Anna799072 #!LPOL! Sung42146 H ~Sung42146@216.13.67.57 :3 Sung421466 #!LPOL! Estella68 H Daniela968@209.198.126.76 :3 Estella680044 #!LPOL! Jenna5293 H Adriana023@209.202.78.179 :3 Jenna529394 #!LPOL! Courtney6 H Chloe43907@209.190.200.152 :3 Courtney697581 #!LPOL! Caroline5 H Melissa162@d-191-144-nospr3.i-55.com :3 Caroline527031 #!LPOL! Shannon50 H ~Shannon50@209.201.28.156 :3 Shannon505552 #!LPOL! Beyonce82 H Olivia5920@209.189.232.237 :3 Beyonce828929 #!LPOL! Kelsey198 H Alyssa5678@209.203.75.134 :3 Kelsey198278 #!LPOL! Nicole203 H Julia74311@209.189.250.214 :3 Nicole203361 #!LPOL! Jasmine27 H Andrea3792@dsl-132-ndcr2.i-55.com :3 Jasmine270357 #!LPOL! Niki68912 H Grace06891@9.e1bed1.client.atlantech.net :3 Niki689129 #!LPOL! Bailey427 H ~Bailey427@d3.e8bed1.client.atlantech.net :3 Bailey427581 #!LPOL! Emily9352 H Morena9837@a4.e3bed1.client.atlantech.net :3 Emily935216 #!LPOL! Nicole893 H Isabella19@pc66.cbk.gov.kw :3 Nicole893482 #!LPOL! Hannah294 H ~Hannah294@209.189.244.252 :3 Hannah294622 #!LPOL! Savannah7 H Sierra3410@d-174-51-nospr3.i-55.com :3 Savannah707812 #!LPOL! Marissa29 H ~Marissa29@host210.terransolutions.com :3 Marissa298910 #!LPOL! Marissa89 H Laura07290@www.bdrtransport.com :3 Marissa898535 #!LPOL! Shakira76 H user14@209.202.78.118 :3 Shakira762665 #!LPOL! Jenna8438 H ~Jenna8438@d-173-32-nospr2.i-55.com :3 Jenna843871 #!LPOL! Ashley377 H Faith87547@19.crcr6.xdsl.nauticom.net :3 Ashley377799 #!LPOL! Andrea434 H Elizabeth9@209.202.78.59 :3 Andrea434270 #!LPOL! Jessica49 H Yamilla634@cp209-202-78-157.cp.telus.net :3 Jessica494079 #!LPOL! Caitlin83 H Mackenzie6@5a.e1bed1.client.atlantech.net :3 Caitlin835383 #!LPOL! Denise777 H Molly48369@df.ebbed1.client.atlantech.net :3 Denise777131 #!LPOL! Nicole948 H Aaliyah253@209.183.203.7 :3 Nicole948345 #!LPOL! Haley0390 H Leslie5962@b5.e2bed1.client.atlantech.net :3 Haley039010 #!LPOL! Samantha1 H Lauren9830@209.178.193.220 :3 Samantha151353 #!LPOL! Niki13026 H Kimberly97@a7.c8bed1.client.atlantech.net :3 Niki130268 I hope this isn't off topic. -Drew
Atlantech is local to me and sells a lot of DS1 internet access to Wireless ISPs. Maybe a war driver is having some fun... Drew Weaver wrote:
<!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} -->
I've tried contacting abuse departments of several of these isps and none of them seem to care, so I figured I would post the info here, and maybe someone will let them know, the biggest offender is atlantech. These are all hosts that have been compromised by the same person, they're being used to SYN flood 65.110.34.100
If you want to see this glorious channel for your self its called #!LPOL! on Undernet.
Basically the way this works is your box gets attacked, then it sits on this irc channel and waits for commands, in this case the command is !SYN 65.110.34 1000 6667 9999 -s
Anyways here is the list, and every 30 seconds or so 2 or 3 more jump into this room.. the botnet is growing!
#!LPOL! Jessica74 H Peter90@adsl-209-204-181-32.sonic.net :3 Jessica743071
#!LPOL! Claire272 H ~Claire272@80-192-182-73.cable.ubr05.wi.blueyonder.co.uk
#!LPOL! Sophia554 H ~Sophia554@209.195.200.6 :3 Sophia554325
#!LPOL! Chloe9013 H Karolina80@209.202.78.152 :3 Chloe901312
#!LPOL! Sydney542 H Mariah0494@209.191.9.227 :3 Sydney542199
#!LPOL! Elsa12423 H Angelina42@15.shnt4.xdsl.nauticom.net :3 Elsa124230
#!LPOL! Minki7099 H Zoe756815@209.194.190.16 :3 Minki709990
#!LPOL! Makayla57 H Natalie572@209.195.218.54 :3 Makayla574543
#!LPOL! Leslie525 H Svala28188@pppoe-64-91-70-20.rb.lax.centurytel.net :3 Leslie525606
#!LPOL! Autumn319 H Grace99989@AC9F6DA8.ipt.aol.com :3 Autumn319583
#!LPOL! Samantha3 H Autumn9932@host25.brooksml-2.cust.sover.net :3 Samantha394828
#!LPOL! Yamilla15 H Claire4282@host26.brooksml-2.cust.sover.net :3 Yamilla150205
#!LPOL! Grace2018 H Adriana488@8.svnf1.xdsl.nauticom.net :3 Grace201892
#!LPOL! Lujan7794 H Josie11923@a5.c3bed1.client.atlantech.net :3 Lujan779454
#!LPOL! Minki7888 H Victoria72@ep190.ips.PaulBunyan.net :3 Minki788839
#!LPOL! Briana185 H Alyssa5638@209.205.172.43 :3 Briana185975
#!LPOL! Angela274 H Laura15269@host33.brooksml-2.cust.sover.net :3 Angela274842
#!LPOL! Anna79907 H Madeline32@user-101.city.urbana.il.us :3 Anna799072
#!LPOL! Sung42146 H ~Sung42146@216.13.67.57 :3 Sung421466
#!LPOL! Estella68 H Daniela968@209.198.126.76 :3 Estella680044
#!LPOL! Jenna5293 H Adriana023@209.202.78.179 :3 Jenna529394
#!LPOL! Courtney6 H Chloe43907@209.190.200.152 :3 Courtney697581
#!LPOL! Caroline5 H Melissa162@d-191-144-nospr3.i-55.com :3 Caroline527031
#!LPOL! Shannon50 H ~Shannon50@209.201.28.156 :3 Shannon505552
#!LPOL! Beyonce82 H Olivia5920@209.189.232.237 :3 Beyonce828929
#!LPOL! Kelsey198 H Alyssa5678@209.203.75.134 :3 Kelsey198278
#!LPOL! Nicole203 H Julia74311@209.189.250.214 :3 Nicole203361
#!LPOL! Jasmine27 H Andrea3792@dsl-132-ndcr2.i-55.com :3 Jasmine270357
#!LPOL! Niki68912 H Grace06891@9.e1bed1.client.atlantech.net :3 Niki689129
#!LPOL! Bailey427 H ~Bailey427@d3.e8bed1.client.atlantech.net :3 Bailey427581
#!LPOL! Emily9352 H Morena9837@a4.e3bed1.client.atlantech.net :3 Emily935216
#!LPOL! Nicole893 H Isabella19@pc66.cbk.gov.kw :3 Nicole893482
#!LPOL! Hannah294 H ~Hannah294@209.189.244.252 :3 Hannah294622
#!LPOL! Savannah7 H Sierra3410@d-174-51-nospr3.i-55.com :3 Savannah707812
#!LPOL! Marissa29 H ~Marissa29@host210.terransolutions.com :3 Marissa298910
#!LPOL! Marissa89 H Laura07290@www.bdrtransport.com :3 Marissa898535
#!LPOL! Shakira76 H user14@209.202.78.118 :3 Shakira762665
#!LPOL! Jenna8438 H ~Jenna8438@d-173-32-nospr2.i-55.com :3 Jenna843871
#!LPOL! Ashley377 H Faith87547@19.crcr6.xdsl.nauticom.net :3 Ashley377799
#!LPOL! Andrea434 H Elizabeth9@209.202.78.59 :3 Andrea434270
#!LPOL! Jessica49 H Yamilla634@cp209-202-78-157.cp.telus.net :3 Jessica494079
#!LPOL! Caitlin83 H Mackenzie6@5a.e1bed1.client.atlantech.net :3 Caitlin835383
#!LPOL! Denise777 H Molly48369@df.ebbed1.client.atlantech.net :3 Denise777131
#!LPOL! Nicole948 H Aaliyah253@209.183.203.7 :3 Nicole948345
#!LPOL! Haley0390 H Leslie5962@b5.e2bed1.client.atlantech.net :3 Haley039010
#!LPOL! Samantha1 H Lauren9830@209.178.193.220 :3 Samantha151353
#!LPOL! Niki13026 H Kimberly97@a7.c8bed1.client.atlantech.net :3 Niki130268
I hope this isn't off topic.
-Drew
participants (7)
-
Andy Smith -
Drew Weaver -
Henry Linneweh -
Jan Czmok -
N. Richard Solis -
neal rauhauser 402-301-9555 -
Pascal Gloor