Re: What to do with bot networks

[Ron DuFresne <dufresne () winternet com>]

On Fri, 3 Dec 2004, Conor Sibley wrote:

> It all started yesterday when one of my servers got hacked.  An ssh
> phisher got lucky and found an account with a weak password open on my
> server.  Two shellcode attempts later they had full access via root.
> They ran a super scanner and started an Energy Mech variant which
> connected back to their bot network.  This is where my dilemma
> started… so I logged onto the bot network and lo-and-behold hundreds
> start responding.  I'm reasonably sure that this network will be used
> "4-3v1l && !G00D" so, the question I am asking myself is: "What next".
>
> -Do I disable the network
> This is a huge network that is likely used for DDOSing.  If you've
> ever been DOSed... it sux.


Always, till the system has been repaired or restored or reinstalled and
patched to prevent another compromise.



> -Do I report to ISP or authorities
> The ISP is in an eastern European country and I don't know if the
> local authorities would do anything let alone care.

Reporting to the ISP if you have enough info for them to act on would
certainly be a benefit for you and fellow clients of the ISP, if you have
IP specific, they can setup blocks in the routers to limit/prevent further
client compromise.  They can also then take over and do all or most of the
reporting/notification to others from that point on.  They may contact you
further to gleen more info from you, save all logs if going this route.

> -Do I do nothing
> This option sucks but it sure is the easiest



If you are not technically savvy enough to know if you have logged
anything useful to you and or others, this might have to be your option
while learning more should there be future strikes of this and related
sorts.

So, in derteminging how to repond these are the steps;

1) Always disconnect while cleaning up.fixing/patching, otherwise you
might well lose control of those steps, let alone you are now a risk to
all your internet neighbors.

2) determining if it's worth any effort in informing/involving others
depends upon a number of sub factor;

        a>  skills of the admin
        b>  logs/evidence related to the compromise that could be used to
        block/trace/warn others of what's happening from where.  Lacking
        info, while even try?  It will likely make you sound like the
        clueless person you might be, <see a above>.
        c>  another factor here depends upon if this is a home/soho
        user/net or a place of employment incident.  home/soho users can
        use the above guidlines, company empyees have to deal with their
        appropriate support centers within the organization, those support
        centers will know what the policies and proceedures are for the
        company and take appropiate actions.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html