To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
Thanks Steven.
As you guessed, I don't have the authority to pull the machine. All I can do is report it to the client's IT dept, which I have done several times.
You're right about the machine being a potential threat to others, of course, though the lack of a flurry of similar symptoms suggests that if it is propagating within our network, it is not doing so very successfully.
Without information from the infected PC, is there any way to tell if the IRC server is definitely a botnet controller - I'm no IRC expert (in fact, not even a user) so, though I have downloaded a client just in case, I wouldn't know where to begin.
Thanks again.
Regards,
Dave
_____________________
David Long
Network Analyst
Serco Solutions
01223 717582
[EMAIL PROTECTED]
www.serco.com
bringing service to life
______________________
| "Steven" <[EMAIL PROTECTED]>
10/03/2006 01:45
|
To: <[email protected]>, <[EMAIL PROTECTED]> cc: Subject: Re: [botnets] Possible Bot Controllers |
Hi David,
I have a few different responses for you which I hope can help. The first part about there being no immediate threat is not necessarily true. You are blocking the IRC portion, but you might not be blocking other components of the infection. This can range from file deletions, spyware installation, keylogging, scanning/exploitation across the network, and so on. The best thing to do depending on what your policies are would probably be to get the machine off the network until it can be cleaned (not sure if you have authorization for this). One of the biggest threats at this point is to the customers but it could still potentially affect [infect] your network.
There are also a number of legitimate reasons to run IRC servers on various ports, however, this is a good indication that is probably not a friendly server. That and the repeated connection attempts would definitely indicate this. Go to the machines or connect to the servers yourself (preferrably through a proxy or osmething) and verify it is in fact a bot server. You never know -- it could be something else. No need to report it to the owner if it turns out to be some tech support IRC command based chat program.
If you can do packet captures and more analysis you can be 100% sure about some of the activity as well.
Good luck!
Steven
----- Original Message -----
From: [EMAIL PROTECTED]
To: [email protected]
Sent: Thursday, March 09, 2006 3:17 AM
Subject: [botnets] Possible Bot Controllers
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Please forgive the newbie question - I'll try to make it my only one :^)
A couple of PCs here are trying to get to IRC servers on TCP port 8080. The traffic is blocked and logged by our firewalls, so is no immediate threat in itself. The destination addresses are not associated with any known malware (or weren't last time I looked), so I can't be absolutely certain that the IRC boxes are controllers (though it's difficult to think of an innocent reason for putting IRC servers on 8080 or for a PC trying the same addresses repeatedly 24 hours a day!).
What is the etiquette in such a case? Should I report the IRC servers to the site administrator(s)? Should I report the addresses here (or elsewhere) even though I'm not certain that they are bot-related?
Unfortunately my organisation only provides network services to our client, so I cannot produce any useful evidence from the PCs themselves, and their IT dept has neither the time nor the skills to extract any such evidence - if they do anything at all, it'll probably be a re-installation.
Thanks.
Regards,
Dave
***Disclaimer****
This e-mail and any attachments may contain confidential and/or privileged material; it is for the intended addressee(s) only. If you are not a named addressee, you must not use, retain or disclose such information.
Serco cannot guarantee that the e-mail or any attachments are free from viruses.
The views expressed in this e-mail are those of the originator and do not necessarily represent the views of Serco.
Nothing in this e-mail shall bind Serco in any contract or obligation.
Serco Group plc. Registered in England and Wales. No: 2048608
Registered Office: Serco House, 16 Bartley Wood Business Park, Bartley Way, Hook, Hampshire, RG27 9UY, United Kingdom.
_______________________________________________
botnets mailing list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
_______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
