To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
in-line:
J. Oquendo wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> Gadi Evron wrote:
>
>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
>> ----------
>> I'd like to quote Joe, for historical purposes:
>>
>> Obviously there is money being made here - the economics of exploiting
>> end-user systems for the purposes of spam has been an established business
>> model for at least four years now.
>
> Perhaps its been longer than that. Maybe its just been noticed within the
> past four who knows.
>
> Anyhow, its surprising that some software vendor hasn't upped the ante here
> and begun to block offending IP addresses associated with these C&C's. How
> difficult would it be to say create a scripted module that "greps" out the IP
> addressing from these bots, and takes that IP address, firewalls it out from
> their subnet.
>
> Eg:
>
> Supposing my logfiles alert me with an IP and port which looks like:
>
> 192.168.1.10:18607
> 10.1.20.123:32312
> 120.120.110.110:18607
- ---------------------------
Just curious, are you addressing this via IPs & port(s) ? If so, what
happens if these IPs are doing port hopping? Are you doing any sort of
L7 monitoring? What happens if it is a virtual IP?
How you guys doing any bogon filtering?
regards,
/virendra
>
> awk '/18607/{gsub (/:/," ");print "iptables -A INPUT -p tcp -j DROP -s", $1}'
> logfiles|xargs exec
>
> Or pick your favorite script... Anyhow, I'm sure most understand what I'm
> getting to. Sure this only works on networks where ipchains is used, but I
> can think of plenty of ways to filter these issues before they infest your
> network...
>
> What I still find strange, and I guess I will be an odd man out is, why
> providers are so reluctant to get off their rears and address these issues.
> Let's be realistic who on the planet is using port 18607. I know if I was
> still in the ISP business and I saw these obscure ass ports, they'd be
> filtered. Last thing I need would be some crazy ass code red like worm taking
> my network down. It's surprising most engineers (and you lazy bums know who
> you are) allow stupidity. I guess the Forest Gump rule applies stupid is as
> stupid does.
>
> Gadi by the way, I know a few years back (I don't know maybe 2 or so around
> the SDBot days... Hell I don't even know if you recall) I had intended on
> helping with this project (Botnet). Apologies I've been off and on, but I
> relocated, etc., etc. If you need anything give a holler.
>
> ====================================================
> J. Oquendo
> sil . infiltrated @ net http://www.infiltrated.net
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> 26:0608031813:J. Oquendo::fNaE6zH/HDTggYKS:005zLMj
>
> The happiness of society is the end of government.
> John Adams
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE41XDpbZvCIJx1bcRAi8EAJ4gSNoTlRL//uPdNa4RqQA9an+CDwCg4ww1
urQLWfJT9fyjB/3+JMjzhgU=
=Jg89
-----END PGP SIGNATURE-----
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
