Botnet Script Detection
Posted: 29 Jan 2014, 16:27
We have cxs and configserver running on a server and received the following from abuseeat.org. I am running the latest versions. Any recommend way to track down this script? I have grepped all files in /var/log/ but have found no occurrence of the IP 87.255.51.229 listed. The system runs Apache in ruid2 so php processes are ran at the user level. Is there anything in the latest cxs to cover s_kelihos and/or what are your recommendations to track this down? Thank you!
IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-01-29 10:00 GMT (+/- 30 minutes), approximately 5 hours ago.
This IP is infected with, or is NATting for a machine infected with s_kelihos
Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.
This was detected by observing this IP attempting to make contact to a s_kelihos Command and Control server, with contents unique to s_kelihos C&C command protocols.
This was detected by a TCP/IP connection from xxx.xxx.xxx.xxx on port 46455 going to IP address 87.255.51.229 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "ns5.widerat.com".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name ns5.widerat.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or ns5.widerat.com. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
This detection corresponds to a connection at 2014-01-29 10:26:14 (GMT - this timestamp is believed accurate to within one second).
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-01-29 10:00 GMT (+/- 30 minutes), approximately 5 hours ago.
This IP is infected with, or is NATting for a machine infected with s_kelihos
Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.
This was detected by observing this IP attempting to make contact to a s_kelihos Command and Control server, with contents unique to s_kelihos C&C command protocols.
This was detected by a TCP/IP connection from xxx.xxx.xxx.xxx on port 46455 going to IP address 87.255.51.229 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "ns5.widerat.com".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name ns5.widerat.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or ns5.widerat.com. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
This detection corresponds to a connection at 2014-01-29 10:26:14 (GMT - this timestamp is believed accurate to within one second).
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.