momoxhemo Posted June 1, 2011 Report Share Posted June 1, 2011 I'm not entirely sure what to make of this. It seems a botnet monitoring service (shadowserver) thinks dht01.utorrent.com is a botnet. There's no irc or anything like that on that server correct? Is the only way for me not to trip this to disable dht? Below is my universities log of the event.05/28-05:14:06 [my.ip] Connected_to_Botnet05/28-05:14:06.129363 [**] [1:2404225:2329] ET DROP Known Bot C&C Server Traffic UDP (group 113) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} [my.ip]:57278 -> 67.215.242.138:6881Snort rule triggered:alert udp $HOME_NET 1:24,26:52,54:65535 -> [67.215.242.138,67.215.242.139,67.218.118.62,67.220.65.248,67.220.66.114,67.220.66.120,67.220.66.166,67.220.66.167,67.220.66.168,67.220.66.170] 1:24,26:52,54:65535 (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 113) "; reference:url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404225; rev:2329;)2011-05-28 05:14:06.129363 IP [my dns].57278 > dht01.utorrent.com.6881: UDP, length 103 0x0000: 4500 0083 7ef8 0000 7d11 e4ce 83c1 1f80 E...~...}....... 0x0010: 43d7 f28a dfbe 1ae1 006f ee54 6431 3a61 C........o.Td1:a 0x0020: 6432 3a69 6432 303a 5cfc 4dcf a864 f10b d2:id20:\.M..d.. 0x0030: 8053 6dbd 9097 e978 5c99 646e 363a 7461 .Sm....x\.dn6:ta 0x0040: 7267 6574 3230 3ac0 790a b064 681e 9834 rget20:.y..dh..4 0x0050: 63ec c92d db14 4daa 5c9d 0b65 313a 7139 c..-..M.\..e1:q9 0x0060: 3a66 696e 645f 6e6f 6465 313a 7434 3abd :find_node1:t4:. 0x0070: cedf 8931 3a76 343a 5554 62d6 313a 7931 ...1:v4:UTb.1:y1 0x0080: 3a71 65 :qe Link to comment Share on other sites More sharing options...
DreadWingKnight Posted June 1, 2011 Report Share Posted June 1, 2011 Sounds like the botnet monitoring service doesn't have a clue.DHT isn't a botnet. Link to comment Share on other sites More sharing options...
Firon Posted June 1, 2011 Report Share Posted June 1, 2011 DHT is a distributed network used largely as one big decentralized tracker, so you can find peers when the tracker is unavailable (or find more peers even if it is).It's not a botnet. Link to comment Share on other sites More sharing options...
momoxhemo Posted June 1, 2011 Author Report Share Posted June 1, 2011 I apologize for not explicitly saying that I knew about DHT, I was more curious if there was anything else on that server that might have gotten them confused. At any rate, the important question for me is, if I disable DHT in utorrent, will it prevent any and all connection to that server? Link to comment Share on other sites More sharing options...
DreadWingKnight Posted June 1, 2011 Report Share Posted June 1, 2011 Yes, but it doesn't address the horrendous false-positive in the botnet detection system. Link to comment Share on other sites More sharing options...
momoxhemo Posted June 1, 2011 Author Report Share Posted June 1, 2011 I already emailed the provider of that list to let them know of their problem. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.