Hi David,
I have a few different responses for you which I
hope can help. The first part about there being no immediate threat is not
necessarily true. You are blocking the IRC portion, but you might not be
blocking other components of the infection. This can range from file
deletions, spyware installation, keylogging, scanning/exploitation across the
network, and so on. The best thing to do depending on what your policies
are would probably be to get the machine off the network until it can be cleaned
(not sure if you have authorization for this). One of the biggest threats
at this point is to the customers but it could still potentially affect [infect]
your network.
There are also a number of legitimate reasons to
run IRC servers on various ports, however, this is a good indication that is
probably not a friendly server. That and the repeated connection attempts
would definitely indicate this. Go to the machines or connect to the
servers yourself (preferrably through a proxy or osmething) and verify it is in
fact a bot server. You never know -- it could be something else. No
need to report it to the owner if it turns out to be some tech support IRC
command based chat program.
If you can do packet captures and more analysis you
can be 100% sure about some of the activity as well.
Good luck!
Steven
----- Original Message -----
Sent: Thursday, March 09, 2006 3:17
AM
Subject: [botnets] Possible Bot
Controllers
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Please forgive the newbie question -
I'll try to make it my only one :^)
A couple of PCs here are trying to get to IRC servers on TCP port 8080.
The traffic is blocked and logged by our firewalls, so is no immediate threat
in itself. The destination addresses are not associated with any known malware
(or weren't last time I looked), so I can't be absolutely certain that the IRC
boxes are controllers (though it's difficult to think of an innocent reason
for putting IRC servers on 8080 or for a PC trying the same addresses
repeatedly 24 hours a day!).
What
is the etiquette in such a case? Should I report the IRC servers to the site
administrator(s)? Should I report the addresses here (or elsewhere) even
though I'm not certain that they are bot-related?
Unfortunately my organisation only provides network
services to our client, so I cannot produce any useful evidence from the PCs
themselves, and their IT dept has neither the time nor the skills to extract
any such evidence - if they do anything at all, it'll probably be a
re-installation.
Thanks.
Regards,
Dave
***Disclaimer****
This e-mail and any attachments may contain
confidential and/or privileged material; it is for the intended addressee(s)
only. If you are not a named addressee, you must not use, retain or disclose
such information.
Serco cannot guarantee that the e-mail or any attachments
are free from viruses.
The views expressed in this e-mail are those of the
originator and do not necessarily represent the views of Serco.
Nothing in
this e-mail shall bind Serco in any contract or obligation.
Serco Group
plc. Registered in England and Wales. No: 2048608
Registered Office: Serco
House, 16 Bartley Wood Business Park, Bartley Way, Hook, Hampshire, RG27 9UY,
United Kingdom.
_______________________________________________
botnets mailing
list
To report a botnet PRIVATELY please email:
[EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
|
