To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Mon, 8 Jan 2007, Sean Zadig wrote: > Greetings all, > > I'm looking for suggestions on innovative ways to find zombie machines on my > networks. Right now, we're looking for IRC traffic and doing some checking > for connections to C&C machines (using Shadowserver and various other C&C > lists). > > Do any of you have any recommendations for other methods? So far, I haven't > been able to find too much zombie activity, but I have a feeling it's there. > We simply have too many machines for there not to be some activity.
Hi Sean. :) Before you get too complicated and complex, start by checking netflow information, as well as DNS information. If 15K machines are going to one computer out in the world and it is not CNN, you have a problem. If suddenly most DNS requests are for an not previously seen RR, you have trouble. > > Thanks, > Sean Zadig > > Sean Zadig > Special Agent > NASA OIG Computer Crimes Division > Goddard Space Flight Center > 301.286.8232 > PGP Key: 0xE9659D75 > > ! WARNING ! This email including any attachments is intended only for > authorized recipients. Recipients may only forward this information as > authorized. This email may contain non-public information that is "Law > Enforcement Sensitive," "Sensitive but Unclassified," or otherwise subject > to the Privacy Act and/or legal and other applicable privileges that > restrict release without appropriate legal authority and clearance. > Accordingly, the use, dissemination, distribution or reproduction of this > information to or by unauthorized or unintended recipients, including but > not limited to non-NASA recipients, may be unlawful. > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
