Full Disclosure mailing list archives
Re: What to do with bot networks
From: Ron DuFresne <dufresne () winternet com>
Date: Sat, 4 Dec 2004 21:27:21 -0600 (CST)
On Fri, 3 Dec 2004, Conor Sibley wrote:
It all started yesterday when one of my servers got hacked. An ssh phisher got lucky and found an account with a weak password open on my server. Two shellcode attempts later they had full access via root. They ran a super scanner and started an Energy Mech variant which connected back to their bot network. This is where my dilemma started⦠so I logged onto the bot network and lo-and-behold hundreds start responding. I'm reasonably sure that this network will be used "4-3v1l && !G00D" so, the question I am asking myself is: "What next". -Do I disable the network This is a huge network that is likely used for DDOSing. If you've ever been DOSed... it sux.
Always, till the system has been repaired or restored or reinstalled and patched to prevent another compromise.
-Do I report to ISP or authorities The ISP is in an eastern European country and I don't know if the local authorities would do anything let alone care.
Reporting to the ISP if you have enough info for them to act on would certainly be a benefit for you and fellow clients of the ISP, if you have IP specific, they can setup blocks in the routers to limit/prevent further client compromise. They can also then take over and do all or most of the reporting/notification to others from that point on. They may contact you further to gleen more info from you, save all logs if going this route.
-Do I do nothing This option sucks but it sure is the easiest
If you are not technically savvy enough to know if you have logged anything useful to you and or others, this might have to be your option while learning more should there be future strikes of this and related sorts. So, in derteminging how to repond these are the steps; 1) Always disconnect while cleaning up.fixing/patching, otherwise you might well lose control of those steps, let alone you are now a risk to all your internet neighbors. 2) determining if it's worth any effort in informing/involving others depends upon a number of sub factor; a> skills of the admin b> logs/evidence related to the compromise that could be used to block/trace/warn others of what's happening from where. Lacking info, while even try? It will likely make you sound like the clueless person you might be, <see a above>. c> another factor here depends upon if this is a home/soho user/net or a place of employment incident. home/soho users can use the above guidlines, company empyees have to deal with their appropriate support centers within the organization, those support centers will know what the policies and proceedures are for the company and take appropiate actions. Thanks, Ron DuFresne -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- What to do with bot networks Conor Sibley (Dec 03)
- Re: What to do with bot networks Paul Schmehl (Dec 03)
- AW: What to do with bot networks Robert Marquardt (Dec 03)
- Re: What to do with bot networks Ron DuFresne (Dec 04)
- Re: What to do with bot networks Paul Schmehl (Dec 03)