[Dshield] how to take down a 'bot-net' ?
pacu at sympatico.ca
Sun Oct 6 01:49:24 GMT 2002
On Saturday 05 October 2002 06:07 pm, Manuel Lanctot wrote:
> On all the probes I'm receiving, 90% of hosts give me the standard Apache
> test page ("If you can see this page, it means you successfully installed
> Apache, etc.") but in 3 cases today only, I found the page of a small
> company, mostly in Europe and Asia. I received no answers yet. I only hope
> the "victims" won't think it's a hoax or call my ISP because they think
> I've sended them a virus. :-P
> Manuel F. Lanctot
> PACU Communications
Something else about Slapper. I had never been probed for port 4156 before
yesterday and I received more than 700 during last night night. Then I thought, did I do
something special yesterday? Since my website is almost completed, I registered
an account on www.cjb.net (free domains redirection, etc). So, now my IP is bounded to a
xxxx.cjb.net adress. A few hours later, I started receiving Slapper probes.
I didn't look at the worm code, but I thought the scans were random, not targeted at specific
services (like forwarders, etc.) Now there isn't 10 minutes without being probed at least once.
I'm running Apache but I disabled SSL (and it's up to date anyway) so I'm not
worried, just amused, in some weird way.
Manuel F. Lanctot
More information about the list