On this page... (hide)
Introduction
This report is a list of all the infected machines, drones, and zombies that we were able to capture from the monitoring of IRC Command and Controls, capturing IP connections to HTTP botnets, or the IP's of Spam relays. Some of the IP's will have an infection type, and these will only be for the HTTP bots or the Spam relays.
Fields
| Field | Description |
| Timestamp | Timestamp the IP was seen in UTC+0 |
| Drone | The IP of the device in question |
| ASN | ASN where the drone resides |
| Geo | Country where the drone resides |
| Hostname | Reverse DNS of the IP of the drone |
| RBL | RBL information for that IP address |
| C&C | The Command and Control that is managing this IP |
| C&C ASN | ASN of the C&C |
| C&C Geo | Country of the C&C |
| C&C DNS | Reverse DNS of the C&C IP |
| C&C Port | Port of the C&C |
| Infection | What we believe this device to be infected with |
Sample
"Timestamp","Drone","ASN","Geo","Hostname","RBL","C&C","C&C ASN","C&C Geo","C&C DNS","C&C Port","Infection" "2008-11-03 00:00:01","190.187.23.98",19180,"PE","","","","","","","","spam" "2008-11-03 00:00:02","172.164.57.182",14855,"US","ACA439B6.ipt.aol.com","","82.165.99.3",8560,"DE","kundenserver.de",80,"beagle" "2008-11-03 00:00:03","189.183.26.4",8151,"MX","","","","","","","","spam" "2008-11-03 00:00:04","124.43.48.34",9329,"LK","","","","","","","","spam" "2008-11-03 00:00:05","91.65.38.198",31334,"DE","91-65-38-198-dynip.superkabel.de","","195.12.59.196",39342,"FI","mediatraffic2.fi.quakenet.org","","" "2008-11-03 00:00:07","124.43.48.34",9329,"LK","","","","","","","","spam" "2008-11-03 00:00:08","189.106.41.223",7738,"BR","","","","","","","","spam" "2008-11-03 00:00:09","91.65.38.198",31334,"DE","91-65-38-198-dynip.superkabel.de","","",8972,"DE","irc.lolinator.net","","" "2008-11-03 00:00:10","89.0.0.146",8584,"IL","89.0.0.146.dynamic.barak-online.net","","195.12.59.196",39342,"FI","mediatraffic2.fi.quakenet.org","","" "2008-11-03 00:00:11","79.145.53.56",3352,"ES","","","","","","","","spam" "2008-11-03 00:00:12","172.133.147.45",1668,"US","AC85932D.ipt.aol.com","","82.165.104.20",8560,"DE","kundenserver.de",80,"beagle"
Questions
- Why is the C&C set to 0.0.0.0 or is blank. This can occur for several different reasons. We may not have the C&C IP address depending on the source of the data and the method of tracking. For example, you could have a drone IP labeled as Spam. Since we extracted out the last hop from a Spam message we do not know the controlling source, and cannot report it out. In the instances where the capture point was our Sinkhole server, we are the C&C in this instance and there is no reason to include our IP's. If we have the data we will always include it in the reports. We filter nothing from the data we send out except to ensure that you receive the data for your responsible area.
<< | Reports | >>
