[tor-relays] Abuses: Suspicious botnet ramnit attack

teor teor2345 at gmail.com
Fri Oct 28 10:31:45 UTC 2016


> 2016-10-27 20:24 GMT+02:00 pa011 <pa011 at web.de>:
>> Hi,
>> 
>> got the abuse below on three different exits. Anybody having any idea what to do and how to possibly to stop this in the future?
>> Thanks Paul
>> 
>> 
>> CERT-EU has received information regarding an infected IP belonging to your
>> network, which may have security problems. The information regarding the problems
>> is also included as attachments in both CSV and XML formats. All timestamps are in
>> UTC.
>> At this time we do not have any more information.
>> 
>> Where:
>> - ASN: is the Autonomous System Number;
>> - IP:  the Internet Protocol address associated with this activity;
>> - TIME: discovery time of the malicious activity;
>> - PTR/DNAME: PTR/DNAME record
>> - CC: ISO 3166-1 alpha-2 two-letter country code;
>> - TYPE: type of the security problem or threat;
>> 
>> - INFO: provides any additional information, if available.asn|ip|time|ptr|cc|type|info|info2
>> 
>> ASxxxxx|xxx.xxx.xxx.xxx|25-10-2016 12:10:09Z|XX|botnet drone|Description: Ramnit botnet victim connection to sinkhole details, Timestamp : 1477397409.72, City : none, Count: 8, First Seen: 25-10-2016 12:10:09, Last Seen: 25-10-2016

> On 28 Oct. 2016, at 09:33, Markus Koch <niftybunny at googlemail.com> wrote:
> 
> No. Thats my problem too, around 90% of my abuse mails are bot related
> and you cant do anything about it.

If you know the destination IP address, and it's a bot Command & Control
server, you could block it. The problem is, many use multiple C&C servers,
some with dynamic DNS.

T

-- 
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------------





More information about the tor-relays mailing list