mailing list archives
Re: What to do with bot networks
From: Ron DuFresne <dufresne () winternet com>
Date: Sat, 4 Dec 2004 21:27:21 -0600 (CST)
On Fri, 3 Dec 2004, Conor Sibley wrote:
It all started yesterday when one of my servers got hacked. An ssh
phisher got lucky and found an account with a weak password open on my
server. Two shellcode attempts later they had full access via root.
They ran a super scanner and started an Energy Mech variant which
connected back to their bot network. This is where my dilemma
startedâ¦ so I logged onto the bot network and lo-and-behold hundreds
start responding. I'm reasonably sure that this network will be used
"4-3v1l && !G00D" so, the question I am asking myself is: "What next".
-Do I disable the network
This is a huge network that is likely used for DDOSing. If you've
ever been DOSed... it sux.
Always, till the system has been repaired or restored or reinstalled and
patched to prevent another compromise.
-Do I report to ISP or authorities
The ISP is in an eastern European country and I don't know if the
local authorities would do anything let alone care.
Reporting to the ISP if you have enough info for them to act on would
certainly be a benefit for you and fellow clients of the ISP, if you have
IP specific, they can setup blocks in the routers to limit/prevent further
client compromise. They can also then take over and do all or most of the
reporting/notification to others from that point on. They may contact you
further to gleen more info from you, save all logs if going this route.
-Do I do nothing
This option sucks but it sure is the easiest
If you are not technically savvy enough to know if you have logged
anything useful to you and or others, this might have to be your option
while learning more should there be future strikes of this and related
So, in derteminging how to repond these are the steps;
1) Always disconnect while cleaning up.fixing/patching, otherwise you
might well lose control of those steps, let alone you are now a risk to
all your internet neighbors.
2) determining if it's worth any effort in informing/involving others
depends upon a number of sub factor;
a> skills of the admin
b> logs/evidence related to the compromise that could be used to
block/trace/warn others of what's happening from where. Lacking
info, while even try? It will likely make you sound like the
clueless person you might be, <see a above>.
c> another factor here depends upon if this is a home/soho
user/net or a place of employment incident. home/soho users can
use the above guidlines, company empyees have to deal with their
appropriate support centers within the organization, those support
centers will know what the policies and proceedures are for the
company and take appropiate actions.
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Full-Disclosure - We believe in it.