Re: Does anyone know which Malware owns this?

[infolookup () gmail com]

Did you try to analyze the files from the redirected link or run the pcap through network miner and other tools to see 
what files you can extract from there?
------Original Message------
From: Paul Halliday
Sender: listbounce () securityfocus com
To: Securityfocus
Subject: Does anyone know which Malware owns this?
Sent: Dec 7, 2009 12:00 PM

There was a lot of ssh activity prior to this:

NICK Mafiotul
USER putini . . :Dar buni

NOTICE AUTH :*** Checking Ident
:Tampa.FL.US.Undernet.org 433 * Mafiotul :Nickname is already in use.
NICK Mafiotul_
NICK _afiotul_
....
WHOIS Mafio5945
MODE Mafio5945 +i-ws
JOIN #MafiaBOT #
NICK Mafiotul

The box also fetched this:

http://www.laguna.evolink.ro/server/6969.pl

I also see ICMP 6666 "skillz"; stacheldraht? on a new install of centOS?

Domains appear to be US, Japan and Macedonia (for the IRC part).

I don't have access to the box I am trying to reconstruct from pcaps
only. Tips/pointers welcome.

Thanks.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



www.twitter.com/infolookup