Re: [botnets] philka

Konstantin Barinov Sat, 15 Dec 2007 00:20:31 -0800

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------

Hi!


This was my answer to Attila-Mihaly yesterday, I thought I СС:ed it to list,
but sorry, I did not. :)

--

After a quick investigation this appears to be quite funny case - all those
people run
same pirated windows xp distribution form www.philka.ru warez thashcan.
Perhaps the
hostname is pre-defined at the installation time. So, this is a false alarm
(about "philka").

Of course, many of these broadband users are infected with various malwares,
but this is
another story.

Have a good weekend!

:)

--
Konstantin Barinov




On Dec 15, 2007 2:40 AM, Peter Dambier <[EMAIL PROTECTED]> wrote:

> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> I remember a bad ethernet adapter doing exactly that.
> I fixed it overriding the mac-address. If I remember
> correctly then it was an IBM PS/2 running OS/2.
>
> It was breaking SNA and Novell Netware
>
> The real fix was to replace the adapter finally.
>
> Kind regards
> Peter
>
>
> Thomas Anderson (CSO) wrote:
> > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > ----------
> >
> >
> > ------------------------------------------------------------------------
> >
> > I've seen problems like this with errors in packet broadcasting from a
> > particular device. Just not as BIG an error. Check the hostnames of the
> > PCs in windows, and I am sure they are not philka! There is a
> > conflicting broadcast packet in one of your devices most likely that the
> > PCs are picking up on. I've seen this with printers.
> >
> > RVaughn wrote:
> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> >> ----------
> >> Could this possibly be a switch problem?
> >>
> >> Konstantin Barinov wrote:
> >>
> >>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> >>> ----------
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> Hello colleagues
> >>>
> >>> Our admins made an interesting discovery today. We have hundreds of
> client
> >>> PC's with same hostname
> >>> "philka". Below a little block from dhcpd log file. Did you see
> something
> >>> like this? I doubt all those people
> >>> changed computer names in Windows manually.
> >>>
> >>> --
> >>> Konstantin Barinov
> >>>
> >>>
> >>>
> >>> Dec 14 00:07:56 victor dhcpd: DHCPREQUEST for 172.16.47.25 from
> >>> 00:19:66:17:0d:da (philka) via vlan15
> >>> Dec 14 00:07:56 victor dhcpd: DHCPACK on 172.16.47.25 to
> 00:19:66:17:0d:da
> >>> (philka) via vlan15
> >>> Dec 14 00:18:01 victor dhcpd: DHCPREQUEST for 172.17.30.203 from
> >>> 00:13:d4:0f:d2:89 (philka) via vlan45
> >>> Dec 14 00:18:01 victor dhcpd: DHCPACK on 172.17.30.203 to
> 00:13:d4:0f:d2:89
> >>> (philka) via vlan45
> >>> Dec 14 00:18:03 victor dhcpd: DHCPREQUEST for 172.17.30.203 from
> >>> 00:13:d4:0f:d2:89 (philka) via vlan45
> >>> Dec 14 00:18:03 victor dhcpd: DHCPACK on 172.17.30.203 to
> 00:13:d4:0f:d2:89
> >>> (philka) via vlan45
> >>> Dec 14 00:23:50 victor dhcpd: DHCPREQUEST for 172.18.133.113 from
> >>> 00:40:f4:88:56:94 (philka) via vlan58
> >>> Dec 14 00:23:50 victor dhcpd: DHCPACK on 172.18.133.113 to
> 00:40:f4:88:56:94
> >>> (philka) via vlan58
> >>> Dec 14 00:24:33 victor dhcpd: DHCPREQUEST for 172.16.60.34 from
> >>> 00:40:95:32:42:b3 (philka) via vlan17
> >>> Dec 14 00:24:33 victor dhcpd: DHCPACK on 172.16.60.34 to
> 00:40:95:32:42:b3
> >>> (philka) via vlan17
> >>> Dec 14 00:31:50 victor dhcpd: DHCPREQUEST for 172.17.21.154 from
> >>> 00:13:d4:80:27:69 (philka) via vlan44
> >>> Dec 14 00:31:50 victor dhcpd: DHCPACK on 172.17.21.154 to
> 00:13:d4:80:27:69
> >>> (philka) via vlan44
> >>> Dec 14 00:33:04 victor dhcpd: DHCPREQUEST for 172.16.115.252 from
> >>> 00:13:8f:59:e5:a1 (philka) via vlan64
> >>> Dec 14 00:33:04 victor dhcpd: DHCPACK on 172.16.115.252 to
> 00:13:8f:59:e5:a1
> >>> (philka) via vlan64
> >>> Dec 14 00:46:45 victor dhcpd: DHCPREQUEST for 172.18.131.82 from
> >>> 00:50:22:e8:65:41 (philka) via vlan58
> >>> Dec 14 00:46:45 victor dhcpd: DHCPACK on 172.18.131.82 to
> 00:50:22:e8:65:41
> >>> (philka) via vlan58
> >>> Dec 14 00:47:19 victor dhcpd: DHCPOFFER on 172.16.80.36 to
> 00:0e:2e:36:df:9b
> >>> (philka) via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPDISCOVER from 00:0e:2e:36:df:9b
> (philka)
> >>> via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPOFFER on 172.16.80.36 to
> 00:0e:2e:36:df:9b
> >>> (philka) via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPDISCOVER from 00:0e:2e:36:df:9b
> (philka)
> >>> via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPOFFER on 172.16.80.36 to
> 00:0e:2e:36:df:9b
> >>> (philka) via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPREQUEST for 172.16.80.36 (
> 172.16.80.8)
> >>> >from 00:0e:2e:36:df:9b (philka) via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPACK on 172.16.80.36 to
> 00:0e:2e:36:df:9b
> >>> (philka) via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPREQUEST for 172.16.80.36 (
> 172.16.80.8)
> >>> >from 00:0e:2e:36:df:9b (philka) via vlan20
> >>> Dec 14 00:47:22 victor dhcpd: DHCPACK on 172.16.80.36 to
> 00:0e:2e:36:df:9b
> >>> (philka) via vlan20
> >>> Dec 14 00:47:23 victor dhcpd: DHCPREQUEST for 172.17.21.154 from
> >>> 00:13:d4:80:27:69 (philka) via vlan44
> >>> Dec 14 00:47:23 victor dhcpd: DHCPACK on 172.17.21.154 to
> 00:13:d4:80:27:69
> >>> (philka) via vlan44
> >>> Dec 14 00:53:03 victor dhcpd: DHCPDISCOVER from 00:0e:2e:36:df:9b
> (philka)
> >>> via vlan20
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> >>> All list and server information are public and available to law
> enforcement upon request.
> >>> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> >>>
> >>
> >> _______________________________________________
> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> >> All list and server information are public and available to law
> enforcement upon request.
> >> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> >>
> >>
> >>
> >>
> >
> > --
> > Thomas Anderson
> > Chief Security Officer
> > Tel: 678-531-3367
> > Email: [EMAIL PROTECTED]
> > Web: www.stopddos.org
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > All list and server information are public and available to law
> enforcement upon request.
> > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
> --
> Peter and Karin Dambier
> Cesidian Root - Radice Cesidiana
> Rimbacher Strasse 16
> D-69509 Moerlenbach-Bonsweiher
> +49(6209)795-816 (Telekom)
> +49(6252)750-308 (VoIP: sipgate.de)
> mail: [EMAIL PROTECTED]
> http://iason.site.voila.fr/
> https://sourceforge.net/projects/iason/
> http://www.cesidianroot.com/
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law
> enforcement upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>



-- 
--
Konstantin Barinov

_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] philka

Reply via email to