On 05/17/2011 01:14 AM, Nicholas Suan wrote: > Just got the following Snort alert as part of "hacking attempt" ticket > from my server provider: > > Date: 05/10 13:16:17 Name: ET DROP Known Bot C&C Server > Traffic UDP (group 15) > Priority: 1 Type: A Network Trojan was Detected > IP info: 192.168.0.3:42070 -> 173.45.238.221:123 > References: http://abuse.ch > http://www.shadowserver.org > http://doc.emergingthreats.net/bin/view/Main/ShadowServerCC > SID: 2404029
> I took a look at the snort rule and it seems that any UDP traffic to
> the IP address of that pool server is flagged.
>
> Is anyone else seeing things like this?
From the shadowservercc page
"These IPs are updates every 24 hours and should be considered VERY
highly reliable indications that a host is communicating with a known
and active Bot or Malware command and control server."
If those include public ntp servers used by bots on infected systems
(with botnets switching domain names for command & control daily I can
imagine they are using ntp to get the correct time to avoid losing
contact with the master) my best guess would be that the researcher
looking into the 'bot' traffic wasn't very aware of the ntp protocol.
So I would not use the term "VERY highly reliable indications".
Koos
--
Koos van den Hout [email protected] PGP keyid 0x27513781 (Use PGP!)
Phone +31-30-2534104 Personal homepage: http://idefix.net/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
