42个国内的BOTNET C&C 控制主机
Yiming Gong
基本上应该都是静态IP,所以有条件的管理员不妨做些工作,shoot them!!!!
具体list在后面, 有问题的可以联系我或者李华msn
yimin...@msn.com
lih...@msn.com
Beijing Kuanjie Net communication technology Ltd
CETC-CHINACOMM COMMUNICATIONS Co.,Ltd.
CHINA RAILWAY TELECOMMUNICATIONS
CHINA RAILWAY TELECOMMUNICATIONS CENTER
CHINANET Anhui province network
CHINANET Fujian province network
CHINANET Guangdong province network
CHINANET guizhou province network
CHINANET jiangsu province network
CHINANET jiangxi province network
CHINANET-HN Changsha node network
CHINANET-ZJ Hangzhou node network
CHINANET-ZJ Taizhou node network
CNC Group CHINA169 Guangdong Province Network
CNC Group CHINA169 Hebei Province Network
CNC Group CHINA169 Heilongjiang Province Network
CNC Group CHINA169 Henan Province Network
CNC Group CHINA169 Jilin Province Network
CNC Group CHINA169 Liaoning Province Network
CNC Group CHINA169 Shan1xi Province Network
CNC Group CHINA169 Shandong Province Network
CNC Group CHINA169 Sichuan Province Network
CNC Group CHINA169 Tianjin Province Network
CNC Group CHINA169 Zhejiang Province Network
CNC Group Guangdong province network
CNC Group SiChuan province network
CNC Group Zhejiang province network
CNCGROUP Hebei Province Network
CNCGROUP Henan province network
CNCGROUP Jilin province network
CNCGROUP Liaoning province network
CNCGROUP Shandong province network
CNCGROUP Tianjin province network
CNCGroup CHINA169 FuJian province network
CNCGroup FuJian province network
CNCGroup Shan1xi province network
China Railcom Beijing Branch
China Railcom Hebei Yangquan Subbranch
China United Telecommunications Corporation
详细信息
ip 端口 附加信息
-----------------------
125.90.204.57 10324 ID: hub.13689.com
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
---
218.2.136.4 5566 ID: SERVER2
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
descr: CHINANET jiangsu province network
---
218.75.93.134 5599 ID: irc.NSA.gov
descr: Yiwu Shiwo Xiefu Shop
descr:
---
218.85.133.253 5454 ID: irc.xdcc1337.net DNSRR: holla.sw1tchbck.net
descr: CHINANET Fujian province network
descr: Data Communication Division
descr: China Telecom
---
220.175.6.169 8585 ID: DNSRR: l.abelc.com PORTS: 10001_191_2569_446_9889
descr: CHINANET jiangxi province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
---
222.240.202.45 29178 ID: DNSRR: aj74mj33o.v46suer0dszx.info
descr: CHINANET-HN Changsha node network
descr: hunan Telecom
---
60.176.149.137 61521
descr: CHINANET-ZJ Hangzhou node network
descr: Zhejiang Telecom
---
60.188.38.22 61521 ID: windows110.microsoft.com
descr: CHINANET-ZJ Taizhou node network
descr: Zhejiang Telecom
---
61.138.255.203 5454 ID: irc.xdcc1337.net
descr: CHINANET guizhou province network
descr: China Telecom
---
61.139.91.30 29178 ID: DNSRR: aj74mj33o.v46suer0dszx.info
descr: Deyang Dongfang Steam Turbine Manufactory
descr: DeYang,Sichuan
descr: PR China
---
61.191.180.92 61521 ID: windows109.microsoft.com
descr: CHINANET Anhui province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
---
210.34.18.108 6667 ID: botnet.net
descr: ~{OCCE4sQ'~}
descr: Xiamen University
descr: Xiamen, Fujian 361005, China
---
219.232.226.17 8080
descr: Beijing Kuanjie Net communication technology Ltd
descr: 420, administration Mansion,
descr: No.83 FuXing Road, Beijing
descr: kuan jie wang ji shu you xian gong si
descr: jian guo men District, Beijing
descr: tele :010-66706522
---
61.151.248.23 6667 ID: css.sunnet.org DNSRR: irc.sunnet.org
descr: Shanghai Rongshuxia Computer Co.,Ltd.
---
124.160.103.149 61521 ID: windows127.microsoft.com DNSRR: nos.c0rrupted.com
descr: CNC Group Zhejiang province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
descr: CNC Group CHINA169 Zhejiang Province Network
---
124.163.77.120 61521
descr: CNCGroup Shan1xi province network
descr: China Network Communications Group Corporation
descr: No.39,Shuang Ta Xi Street,
descr: Taiyuan 030012
descr: CNC Group CHINA169 Shan1xi Province Network
---
218.27.101.46 8080 ID: DNSRR: is.wayne.brady.gonna.have.to.chokeabitch.us
descr: CNCGROUP Jilin province network
descr: CNC Group CHINA169 Jilin Province Network
---
218.28.77.124 5190 ID: hub.30113.com
descr: Road Transport Management Bureau,
descr: No 30 Central Road,
descr: Nanyang City,
descr: Henan Province.
descr: CNC Group CHINA169 Henan Province Network
---
218.56.79.27 61521 ID: windows108.microsoft.com DNSRR: kirsty.4n4rchy99.info
descr: CNCGROUP Shandong province network
descr: CNC Group CHINA169 Shandong Province Network
---
218.61.29.120 61521 ID: windows124.microsoft.com DNSRR: nos.c0rrupted.com
descr: CNCGROUP Liaoning province network
descr: CNC Group CHINA169 Liaoning Province Network
---
221.10.218.177 10324 ID: hub.32542.com
descr: CNC Group SiChuan province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
descr: CNC Group CHINA169 Sichuan Province Network
---
221.12.138.78 9632 ID: log.in.sys DNSRR: mail2.tiktikz.com
descr: CNC Group Zhejiang province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
descr: CNC Group CHINA169 Zhejiang Province Network
---
221.12.40.7 5190
descr: CNC Group Zhejiang province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
descr: CNC Group CHINA169 Zhejiang Province Network
---
222.132.30.188 61521 ID: windows123.microsoft.com DNSRR: nos.c0rrupted.com
descr: GaomishijiInternet Barfendian
descr: CNC Group CHINA169 Shandong Province Network
---
222.132.76.38 65267 ID: dcz3.convicts.in.au
descr: jining QuFuShiFan-School
descr: CNC Group CHINA169 Shandong Province Network
---
222.138.109.161 1028 ID: irc.no-ip.com SERVPASS: Rul0rz
descr: CNCGROUP Henan province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
descr: CNC Group CHINA169 Henan Province Network
---
58.22.96.121 29178 ID: DNSRR: aj74mj33o.v46suer0dszx.info
descr: Fuzhou city, fujian provincial network of CNCGROUP
descr: CNCGroup CHINA169 FuJian province network
descr: CNCGroup FuJian province network
---
60.9.82.43 61521 ID: windows109.microsoft.com DNSRR: nos.c0rrupted.com
descr: CNCGROUP Hebei Province Network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
descr: CNC Group CHINA169 Hebei Province Network
---
61.136.60.61 61521 ID: DNSRR: kirsty.4n4rchy99.info
descr: CNCGROUP Tianjin province network
descr: CNC Group CHINA169 Tianjin Province Network
---
61.167.119.132 6667 ID: botnet.net DNSRR: b07s.g0tr00t.info
descr: Da Qing city petroleum institute 1
descr: CNC Group CHINA169 Heilongjiang Province Network
---
222.46.32.30 2019 ID: DNSRR: fire.hylon-system.net PORTS:
5522_5552_6556_8000_9009
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
descr: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
descr: CHINA RAILWAY TELECOMMUNICATIONS
descr: ZheJiang NingBo Subbranch
---
61.233.40.42 6667 ID: botnet.net
descr: China Railcom Hebei Yangquan Subbranch
descr: Telecommunication Company
descr: Yangquan City,Shanxi Province
descr: China Railcom Hebei Yangquan Subbranch
descr: Telecommunication Company
descr: Yangquan City,Shanxi Province
---
61.235.150.74 61521 ID: windows89.microsoft.com
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
---
211.94.75.39 5555 ID: irc.research-28.net
descr: China United Telecommunications Corporation
descr: No.133,Taiyun Building,Xidan North Street
descr: Xicheng District,Beijing,China
---
220.196.59.227 8585 ID: @_@ DNSRR: a11.je34ke5.net PORTS: 9889
descr: China United Telecommunications Corporation
descr: No.133,Taiyun Building,Xidan North Street
descr: Xicheng District,Beijing,China
---
220.196.59.99 5544 ID: DNSRR: a11.je34ke5.net PORTS: 8585_9889
descr: China United Telecommunications Corporation
descr: No.133,Taiyun Building,Xidan North Street
descr: Xicheng District,Beijing,China
---
219.232.226.17 8080
descr: Beijing Kuanjie Net communication technology Ltd
descr: 420, administration Mansion,
descr: No.83 FuXing Road, Beijing
descr: kuan jie wang ji shu you xian gong si
descr: jian guo men District, Beijing
descr: tele :010-66706522
---
221.122.60.227 5454 ID: irc.xdcc1337.net
descr: CETC-CHINACOMM COMMUNICATIONS Co.,Ltd.
descr: INTERNET COMMUNICATIONS
descr: GUANG ZHOU JUN BO QI YE
---
61.233.16.210 20108 ID: ch.01.retard.AcidIRC.net DNSRR:
bots.acidirc.net PORTS: 29220
descr: China Railcom Beijing Branch
descr: Telecommunication Company
descr: Beijing
descr: China Railcom Beijing Branch
descr: Telecommunication Company
descr: Beijing
---
122.0.178.160 61521
descr: Science & Technology Network Communication Co., Ltd.
descr: 6F/7F, No.1525, Rd.Zhongshan(w),
descr: Shanghai,China 200235
descr: SHANGHAI Guangdian Electronics Group Co.,Ltd
descr: 6F/7F, No.1525, Rd.Zhongshan(w),
descr: Shanghai,China 200235
---
221.4.213.4 9000 ID: KY.TIKI-US.Engima.net
descr: CNC Group Guangdong province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
descr: CNC Group CHINA169 Guangdong Province Network
---
61.233.16.210 20108 ID: ch.01.retard.AcidIRC.net DNSRR:
bots.acidirc.net PORTS: 29220
descr: China Railcom Beijing Branch
descr: Telecommunication Company
descr: Beijing
descr: China Railcom Beijing Branch
descr: Telecommunication Company
descr: Beijing
Regards!
Yiming
张红标
河南网通的那个我已经转给网通的同事进行处理,准备拉他进来,呵呵。
Yiming Gong 写道:
--
--------------------------
张红标
河南电信网管维护中心
+86 371 6531 0007
guyonghao
Liang Gao
Here is a CERT paper that can help you.
http://www.cert.org.cn/UserFiles/File/%E8%AE%BA%E6%96%87%E4%B8%8E%E8%AE%B2%E
6%BC%94%E7%A8%BF/BOTNET%E7%9A%84%E5%8F%91%E7%8E%B0%E4%B8%8E%E6%8E%A7%E5%88%B
6(cuix-20050525).pdf
> >-----邮件原件-----
> >发件人: CN...@googlegroups.com [mailto:CN...@googlegroups.com] 代表
> >guyonghao
> >发送时间: 2007年3月2日 10:17
> >收件人: CN...@googlegroups.com
> >主题: [CNNOG] Re: 42个国内的BOTNET C&C 控制主机
Yiming Gong
同时非常欢迎介绍合适的新成员进入nsp-sec-china, 你也可以让他和我直接联系,谢谢!
Regards!
Yiming
Yiming Gong
成规模的网络攻击(ddos, spam, phising 等) 已经告别了个别黑客直接控制傀儡主机的时代。
从我们跑的的bonet hunting 系统来看,大量的安全事件都是控制器(C&C)控制bots (国内叫肉鸡,不过肉鸡这个好像也不是太准)发起扫描,SPAM等。此外,现在的botnet 系统已经越来越完善,手段也越来越多变。比如一个botnet系统由多台控制器C&C控制,物理位置上地理分布不步,这样即使管理员shutdown了一台,bots还有备份服务器可以联系,for example,这里有一个很好的例子,我们的系统今天早上捕获了一个C&C
161.184.175.95 with port 9632
$ nc 161.184.175.95 9632
HEAD HTTP/1.1
:log.in.sys 451 HEAD :You have not registered
大家可以看到尝试连接得到的ID是log.in.sys
$ whois -h whois.cymru.com 161.184.175.95
AS | IP | AS Name
852 | 161.184.175.95 | ASN852 - Telus Advanced Communications
从whois来看,这个服务器是在us的,再看下面这个是另外一台C&C,
4837 | CHINA169-BACKBONE CNCGROUP China169 Backbone | 221.12.138.78 | tcp | 9632 | 2007-02-23 08:35:13 | 2007-03-03 08:35:13 | bot | 0 | 0 | ID: log.in.sys DNSRR: mail2.tiktikz.com大家可以看到这个是中国的服务器,看最后一列id log.in.sys 是完全一样的。
从这个实际的例子,大家就可以体会到备份cc的感觉,你shutdown了美国的服务器,还有中国的服务器备份。 异地融灾!黑客的安全理论体系好得很哪!
除了这种之外,还有n多的手段,p2p等,我这里不扯了,免得大家看的烦,Gao Liang同学的帖子有提到,或者大家GOOGLE
话再回来,C&C由于是直接控制大规模的bots的,威力巨大,现在是互联网的一大安全问题。所以我们经常发一些相关的国内ip到组里面,希望国内有能力的同学们做些力所能及的工作,或者shutdown,或者block,有实力的还可以上到C&C上看看有什么意思的东西。
其实安全不象那些CXO吹得那么云山雾罩,每个人踏踏实实做些实际工作,比什么都强。
有问题可以再讨论,有兴趣加入nsp-sec-cn的isp工作人员可以联系我和李华, msn
yimin...@msn.com
lh...@msn.com
Regards!
Yiming
> >> descr: No.31 ,jingrong street
LiHua
析,终端防护,桌面安全等安全软硬件件市场这两年飞速发展,也说明我们在不断寻求
解决办法。解决这些问题如Seo Boon所说,光shut down C&C肯定不够的, 还需要从很
多其他方面来考虑遏制,比如如何对botnet传播方式方法进行控制,如何应对0-day攻
击,如何增强桌面安全(控制传播载体),如何及时监控与响应,甚至法律环境改善等各
方面综合考虑。
不过作为运营商的安全管理员,首先做到自己力所能及的事情也是十分必要的,C&C还
是需要去查的,其他的工作还需要大家共同努力去逐步实现
-----邮件原件-----
发件人: nsp-se...@googlegroups.com
[mailto:nsp-se...@googlegroups.com] 代表 Liang Gao
发送时间: 2007年3月3日 10:07
收件人: nsp-se...@googlegroups.com
主题: 答复: [CNNOG] 答复: [CNNOG] Re: 42个国内的BOTNET C&C 控制主机
I like the idea of compare the security along with the evolution of fighting
disease.
Here are my philosophical thoughts on this.
One thing we learned when fighting with human virus is: it is a constant
battle, just like any other evolution of Mother Nature, where both sides are
getting constantly stronger/smarter/faster; it is the race that will never
end.
Which brings another point: is virus, whether it is on human body or
computer, all bad and no good? Without battling with virus/disease, human
body will not be as complicated and strong as today. I would suspect same
thing will happen on computer network too. Maybe the purpose of C&C, botnet
is to drive the evolution of the most advanced artificial intelligence (our
Internet) we've got so far to be stronger.
Whether it is to shut down C&C, or botnet, we are losing the battle now, but
it doesn't mean it is a bad thing, it only means we have long way to go to
improve, and of course, many business opportunities too.
guo liang
algos...@gmail.com
maillist.
Algos
On 3月6日, 上午12时34分, "guo liang" <twinkle...@gmail.com> wrote:
> 我来联系cnc net 的节点和china telecom JiangXi、FuJiang province 两个节点。
> 大家整理出一些处理BOTNET C&C 控制主机的方案,便于传播。
>
> 郭亮
>
> On 3/2/07, Yiming Gong <yimingg...@gmail.com> wrote:
>
>
>
> > 42个国内的BOTNET C&C 控制主机,主要归下列单位,由于这些主机的类型都是C&C,
> > 基本上应该都是静态IP,所以有条件的管理员不妨做些工作,shoot them!!!!
>
> > 具体list在后面, 有问题的可以联系我或者李华msn
>
> > yimingg...@msn.com
> > lihu...@msn.com
> ...
>
> 阅读更多 »
Yiming Gong
Thank you!
And if it is OK, you can let them contact either Lihua (lh...@msn.com) or me (yimin...@msn.com), so we can go ahead and bring them into nsp-sec-china, thanks!
Regards!
Yiming