Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

More kelly hallissey botnet shit she keeps yanking

By: a guest on Jun 20th, 2012  |  syntax: None  |  size: 4.71 KB  |  views: 125  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. (11:02:24 PM) zimzum: around?
  2. (11:02:34 PM) zimzum has not been authenticated yet. You should authenticate this buddy.
  3. (11:02:34 PM) Unverified conversation with zimzum started.
  4. (9/16/2011 6:26:16 AM) MattM@staminus.net: hey
  5. (9:53:36 AM) zimzum: around?
  6. (9:53:40 AM) MattM@staminus.net: yes
  7. (9:53:43 AM) zimzum: ah
  8. (9:54:00 AM) zimzum: ok umm...where to start
  9. (9:54:57 AM) zimzum: ok so my friend's data center (alchemy.net) received ddos. the ddos was not hitting an irc-related customer but I have stuff in his DC to I agreed to look into it
  10. (9:55:46 AM) zimzum: in the process I discovered that 1 of the reflectors attacking his datacenter was also attacking yours
  11. (9:55:47 AM) zimzum: lol
  12. (9:55:56 AM) MattM@staminus.net: sweet
  13. (9:56:06 AM) zimzum: within my organization we have a SANS handler
  14. (9:56:24 AM) zimzum: he assisted me in the matter
  15. (9:56:33 AM) zimzum: sec
  16. (9:57:05 AM) zimzum:
  17. alert tcp $HOME_NET any -> [72.20.37.45,72.20.38.118,72.20.38.4,72.20.38.92,72.20.40.52,72.20.41.225,72.20.44.133,72.20.44.135,72.20.44.205,72.20.45.83] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 167) - BLOCKING SOURCE"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405332; rev:2449; fwsam: dst, 30 days;) alert udp $HOME_NET any -> [72.20.37.45,72.20.38.118,72.20.38.4,72.20.38.92,72.20.40.52,72.20.41.225,72.20.44.133,72.20.44.135,72.20.44.205,72.20.45.83] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 167) - BLOCKING SOURCE"; reference:url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405333; rev:2449; fwsam: dst, 30 days;)
  18. (9:57:16 AM) zimzum: your victim IP was 72.20.41.205
  19. (9:57:36 AM) zimzum: when i looked around to find out more info I found those snort rules in the botnet C&C rules from emerging threats...
  20. (9:58:27 AM) zimzum: basically, a (relatively) new udp reflection/amplification attack is being perpetrated where people are abusing "Enemy Territory" game servers as the reflectors and requesting game information with a spoofed UDP packet
  21. (9:58:41 AM) MattM@staminus.net: fun
  22. (9:58:55 AM) zimzum: all of those stam IPs are sh3lls
  23. (9:59:32 AM) zimzum: so after i wrap up ddos analysis and leave my buddy to auditing his bgp prefixes i go on efnet
  24. (9:59:53 AM) zimzum: wherein my friend is upset over a channel takeover. he lost a channel that he has had since 1999 to a guy named medeski
  25. (10:00:18 AM) zimzum: and his friend
  26. (10:00:23 AM) zimzum: guess who hosts their botnet!
  27. (10:01:08 AM) zimzum: paid for by some guy named dystro
  28. (10:01:23 AM) zimzum: now they're juping nicknames with it lol
  29. (10:01:29 AM) zimzum: so i have to ask you....how the fuq does sh3lls stay in business man!
  30. (10:01:38 AM) MattM@staminus.net: no clue
  31. (10:01:40 AM) zimzum: oh and lets forget all of that for a second
  32. (10:01:45 AM) zimzum: they also have user 'haddem'
  33. (10:01:49 AM) zimzum: who I am sure you're familiar with
  34. (10:01:55 AM) MattM@staminus.net: i haven't been on efnet for 5 years
  35. (10:01:56 AM) MattM@staminus.net: maybe more
  36. (10:02:10 AM) zimzum: well hes been sending (and attracting) >10gbit ddos to staminus
  37. (10:02:21 AM) zimzum: and is quite friendly with kelly last i checked
  38. (10:02:29 AM) zimzum: you should probably famliarize yourself haha
  39. (10:03:21 AM) zimzum: the SANS handler had this to say when your ASN came up "seems they take a lot of heat. and there are often questions about what side of the fence they are on"
  40. (10:04:32 AM) zimzum: i would like to approach sh3lls directly about some of these issues but its owner has been idle a couple days now
  41. (10:05:06 AM) zimzum: any suggestions? policies of yours I should know about?
  42. (10:05:14 AM) MattM@staminus.net: no idea
  43. (10:05:49 AM) MattM@staminus.net: I don't follow this kind of drama. If you have abuse to report, email abuse@staminus.net.
  44. (10:06:08 AM) zimzum: you don't follow your data center getting ddos'd?
  45. (10:06:26 AM) MattM@staminus.net: No, we get hundreds of > 10 Gbps attacks per day.
  46. (10:06:36 AM) MattM@staminus.net: Thousands of attacks in total.
  47. (10:06:44 AM) zimzum: awesome.
  48. (10:07:27 AM) MattM@staminus.net: I don't want to sound dismissive, but I just don't handle abuse, whether at our customers, or from our customers.
  49. (10:10:12 AM) zimzum: ok
  50. (10:11:09 AM) MattM@staminus.net: also, our TOS is at www.staminus.net/TOS
  51. (10:11:26 AM) MattM@staminus.net: So if you're emailing abuse@, make sure there's a violation there