To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Mon, 8 Jan 2007, Sean Zadig wrote:
:] I'm looking for suggestions on innovative ways to find zombie machines on my :] networks. Right now, we're looking for IRC traffic and doing some checking :] for connections to C&C machines (using Shadowserver and various other C&C :] lists). :] :] Do any of you have any recommendations for other methods? So far, I haven't :] been able to find too much zombie activity, but I have a feeling it's there. :] We simply have too many machines for there not to be some activity. Hello. I suggest You to find one machine and install on it: http://nepenthes.mwcollect.org/ Its very beautyful software to collect malware from Your network. Secondly You can count how many packets per seconds (for ports 135,139,445) are sending from one ip. If its more than 10 pps to more than few ips it will be probably trojan infected (tcpdump + perl,bash etc.) Thirdly You can use [on Linux,Unix] my small script on routers which uses ngrep: http://kaneda.bohater.net/files/spamdetector.sh and count how many unique "MAIL FROM" strings are sending from one ip to more than few smtp servers. This method I use to find spambots on my network. (I run this script every 10 minutes for few seconds) Its very simply but very effective way to find spambots. Kanedaaa -- [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][].. [+] You can take our lives,but you will never take our Freedom - W.Wallace [+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama [+] Revolution the only solution - System of a down... [+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0 [-] Kanedaaa... Bohateur... Cucumber Team Member... [EMAIL PROTECTED] _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
