Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations - Cornell
From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Tue, 7 Sep 2004 11:19:43 -0400
Usually after sending in a notice I will see that the problem was fixed a few days later, but I'll never get a responce back. I know the reason for that here: complaints are bounced around between departments until they get to the person in charge of the offending machine, but by then the original contact has usually been removed. maybe someone can poke cornell? (%:~)- host 128.253.153.155
All, FYI, we at Cornell are working very hard to squash down IRC bots and Command and Control servers in the last few weeks. We have knocked off two C&C systems in the last few days, and have knocked off over 100 bots on our ResNet since Friday (with many more to be done today). The bot listed above was caught but not cleaned properly. It has since been re-blocked. Right now, the identification process involves NetFlow analysis mixed with some nmap scans. In the next few weeks, we will have QRadar up and running, which will help us identify suspicious IRC traffic (on all ports) and other indications of compromise (like rogue FTP servers on weird ports). If anyone has IP addresses that are in the Cornell IP space that are either bots or C&C servers, please send the IP and any supporting data you have to <security () cornell edu>. Thanks. -Dan _________________ Daniel Adinolfi, CISSP Senior Security Engineer, IT Security Office Cornell University - Office of Information Technologies email: dra1 () cornell edu phone: 607-255-7657 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations - Cornell Daniel Adinolfi (Sep 07)