Page 1 of 1

Botnet Script Detection

Posted: 29 Jan 2014, 16:27
by solokron
We have cxs and configserver running on a server and received the following from abuseeat.org. I am running the latest versions. Any recommend way to track down this script? I have grepped all files in /var/log/ but have found no occurrence of the IP 87.255.51.229 listed. The system runs Apache in ruid2 so php processes are ran at the user level. Is there anything in the latest cxs to cover s_kelihos and/or what are your recommendations to track this down? Thank you!


IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-01-29 10:00 GMT (+/- 30 minutes), approximately 5 hours ago.

This IP is infected with, or is NATting for a machine infected with s_kelihos

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_kelihos Command and Control server, with contents unique to s_kelihos C&C command protocols.

This was detected by a TCP/IP connection from xxx.xxx.xxx.xxx on port 46455 going to IP address 87.255.51.229 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "ns5.widerat.com".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name ns5.widerat.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or ns5.widerat.com. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2014-01-29 10:26:14 (GMT - this timestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

Re: Botnet Script Detection

Posted: 12 May 2014, 09:17
by webicom
Hello,

I also have the same problem but I have at least two servers with repited blacklisting with this metod in the past few months and I do not knwo how to solve this issue. Is there anybody who can help us?

Regards, Erik

Re: Botnet Script Detection

Posted: 12 May 2014, 10:49
by Strats
We are also facing the same problem, we have grep all logs for this sinkhole IP and seems there is no record, any advice is appreciated.

Re: Botnet Script Detection

Posted: 12 May 2014, 11:33
by webicom
Yes, I have also grep all logs for IP and domain name mentioned at CBL listing but I cant find nothning. I do not konw how to fight this since I cant find anything. Situation is worse then I tought coze now I have 4 servers listed and cant do nothing.

Regards, Erik