[Dshield] how to take down a 'bot-net' ?

Manuel Lanctot pacu at sympatico.ca
Sat Oct 5 22:07:41 GMT 2002


On Saturday 05 October 2002 03:21 pm, KeithTarrant wrote:
> >So far, the methods I am using are:
> >
> >- notify owners of infected machines... mixed results here. It works
> > great in some cases, not at all in others (depends on what machines
> > are connected).
>
> When does it work best and when worst?  This would be a hint as to how
> better communicate.  Is it english being a foreign language?  Too much
> lingo?  Certain industries?

This is what I send to those who have a website up with their email adress and are infected by a Slapper variant.

"Hi,

    My name is Manuel and I live in Canada. Today, I received a probe coming from your IP adress 
(xxx.xxx.xx.xx). It was coming from port 4156 and going to my port 4156. 
I'm sorry to tell you that but that means you have being infected by the mod_ssl worm (also known as Linux.Slapper or just Slapper). 
I would suggest you to disable SSL on your server, or upgrade to the newest version of mod_ssl (get it at http://www.apache.org).

To learn more about this worm, check the Internet Storm Center at:
http://isc.incidents.org/analysis.html?id=172
And the F-Secure Antivirus website:
http://www.f-secure.com/v-descs/slapper.shtml

It will tell you how to see if you are infected and how to remove the virus. 

Sincerely,

Manuel F. Lanctot"

On all the probes I'm receiving, 90% of hosts give me the standard Apache test page ("If you can see this page, it means you successfully installed Apache, etc.") 
but in 3 cases today only, I found the page of a small company, mostly in Europe and Asia. I received no answers yet. I only hope the "victims" won't think it's a 
hoax or call my ISP because they think I've sended them a virus. :-P

Manuel F. Lanctot
PACU Communications







More information about the list mailing list