[Dshield] how to take down a 'bot-net' ?

Manuel Lanctot pacu at sympatico.ca
Sun Oct 6 01:49:24 GMT 2002


On Saturday 05 October 2002 06:07 pm, Manuel Lanctot wrote:

> On all the probes I'm receiving, 90% of hosts give me the standard Apache
> test page ("If you can see this page, it means you successfully installed
> Apache, etc.") but in 3 cases today only, I found the page of a small
> company, mostly in Europe and Asia. I received no answers yet. I only hope
> the "victims" won't think it's a hoax or call my ISP because they think
> I've sended them a virus. :-P
>
> Manuel F. Lanctot
> PACU Communications

Something else about Slapper. I had never been probed for port 4156 before 
yesterday and I received more than 700 during last night night. Then I thought, did I do 
something special yesterday? Since my website is almost completed, I registered 
an account on www.cjb.net (free domains redirection, etc). So, now my IP is bounded to a 
xxxx.cjb.net adress. A few hours later, I started receiving Slapper probes. 

I didn't look at the worm code, but I thought the scans were random, not targeted at specific 
services (like forwarders, etc.) Now there isn't 10 minutes without being probed at least once. 
I'm running Apache but I disabled SSL (and it's up to date anyway) so I'm not 
worried, just amused, in some weird way.

--
Manuel F. Lanctot
PACU Communications




More information about the list mailing list