API tools faq
paste
Advertisement
Guest User

More kelly hallissey botnet shit she keeps yanking

a guest
Jun 20th, 2012
159
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.71 KB | None | 0 0
raw download clone embed print report
  1. (11:02:24 PM) zimzum: around?
  2. (11:02:34 PM) zimzum has not been authenticated yet. You should authenticate this buddy.
  3. (11:02:34 PM) Unverified conversation with zimzum started.
  4. (9/16/2011 6:26:16 AM) MattM@staminus.net: hey
  5. (9:53:36 AM) zimzum: around?
  6. (9:53:40 AM) MattM@staminus.net: yes
  7. (9:53:43 AM) zimzum: ah
  8. (9:54:00 AM) zimzum: ok umm...where to start
  9. (9:54:57 AM) zimzum: ok so my friend's data center (alchemy.net) received ddos. the ddos was not hitting an irc-related customer but I have stuff in his DC to I agreed to look into it
  10. (9:55:46 AM) zimzum: in the process I discovered that 1 of the reflectors attacking his datacenter was also attacking yours
  11. (9:55:47 AM) zimzum: lol
  12. (9:55:56 AM) MattM@staminus.net: sweet
  13. (9:56:06 AM) zimzum: within my organization we have a SANS handler
  14. (9:56:24 AM) zimzum: he assisted me in the matter
  15. (9:56:33 AM) zimzum: sec
  16. (9:57:05 AM) zimzum:
  17. alert tcp $HOME_NET any -> [72.20.37.45,72.20.38.118,72.20.38.4,72.20.38.92,72.20.40.52,72.20.41.225,72.20.44.133,72.20.44.135,72.20.44.205,72.20.45.83] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 167) - BLOCKING SOURCE"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405332; rev:2449; fwsam: dst, 30 days;) alert udp $HOME_NET any -> [72.20.37.45,72.20.38.118,72.20.38.4,72.20.38.92,72.20.40.52,72.20.41.225,72.20.44.133,72.20.44.135,72.20.44.205,72.20.45.83] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 167) - BLOCKING SOURCE"; reference:url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405333; rev:2449; fwsam: dst, 30 days;)
  18. (9:57:16 AM) zimzum: your victim IP was 72.20.41.205
  19. (9:57:36 AM) zimzum: when i looked around to find out more info I found those snort rules in the botnet C&C rules from emerging threats...
  20. (9:58:27 AM) zimzum: basically, a (relatively) new udp reflection/amplification attack is being perpetrated where people are abusing "Enemy Territory" game servers as the reflectors and requesting game information with a spoofed UDP packet
  21. (9:58:41 AM) MattM@staminus.net: fun
  22. (9:58:55 AM) zimzum: all of those stam IPs are sh3lls
  23. (9:59:32 AM) zimzum: so after i wrap up ddos analysis and leave my buddy to auditing his bgp prefixes i go on efnet
  24. (9:59:53 AM) zimzum: wherein my friend is upset over a channel takeover. he lost a channel that he has had since 1999 to a guy named medeski
  25. (10:00:18 AM) zimzum: and his friend
  26. (10:00:23 AM) zimzum: guess who hosts their botnet!
  27. (10:01:08 AM) zimzum: paid for by some guy named dystro
  28. (10:01:23 AM) zimzum: now they're juping nicknames with it lol
  29. (10:01:29 AM) zimzum: so i have to ask you....how the fuq does sh3lls stay in business man!
  30. (10:01:38 AM) MattM@staminus.net: no clue
  31. (10:01:40 AM) zimzum: oh and lets forget all of that for a second
  32. (10:01:45 AM) zimzum: they also have user 'haddem'
  33. (10:01:49 AM) zimzum: who I am sure you're familiar with
  34. (10:01:55 AM) MattM@staminus.net: i haven't been on efnet for 5 years
  35. (10:01:56 AM) MattM@staminus.net: maybe more
  36. (10:02:10 AM) zimzum: well hes been sending (and attracting) >10gbit ddos to staminus
  37. (10:02:21 AM) zimzum: and is quite friendly with kelly last i checked
  38. (10:02:29 AM) zimzum: you should probably famliarize yourself haha
  39. (10:03:21 AM) zimzum: the SANS handler had this to say when your ASN came up "seems they take a lot of heat. and there are often questions about what side of the fence they are on"
  40. (10:04:32 AM) zimzum: i would like to approach sh3lls directly about some of these issues but its owner has been idle a couple days now
  41. (10:05:06 AM) zimzum: any suggestions? policies of yours I should know about?
  42. (10:05:14 AM) MattM@staminus.net: no idea
  43. (10:05:49 AM) MattM@staminus.net: I don't follow this kind of drama. If you have abuse to report, email abuse@staminus.net.
  44. (10:06:08 AM) zimzum: you don't follow your data center getting ddos'd?
  45. (10:06:26 AM) MattM@staminus.net: No, we get hundreds of > 10 Gbps attacks per day.
  46. (10:06:36 AM) MattM@staminus.net: Thousands of attacks in total.
  47. (10:06:44 AM) zimzum: awesome.
  48. (10:07:27 AM) MattM@staminus.net: I don't want to sound dismissive, but I just don't handle abuse, whether at our customers, or from our customers.
  49. (10:10:12 AM) zimzum: ok
  50. (10:11:09 AM) MattM@staminus.net: also, our TOS is at www.staminus.net/TOS
  51. (10:11:26 AM) MattM@staminus.net: So if you're emailing abuse@, make sure there's a violation there
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!