[Dshield] how to take down a 'bot-net' ?

KeithTarrant keithtarrant at spamcop.net
Sun Oct 6 18:28:10 GMT 2002


Hi Manuael - How about this model letter?

Subject:  Your computer 123.123.123.123 is infected with virus/worm
Slapper

I am sad to inform you that your computer at the above IP address appears
to be infected with the "mod_ssl" worm (also known as "Linux.Slapper" and
"Slapper").   A log file extract is at the bottom of this email.

You can get detailed step-by-step instructions on how to confirm the
computer is infected and how to cure the computer here:
http://www.cert.org/advisories/CA-2002-27.html

Information on slapper in Deutsche, Espanol, Francais and Japanese is
available here:
http://www.sophos.com/virusinfo/analyses/linuxslapperb.html
Russian
http://www.viruslist.com/index.html

Additional information on the mod_ssl worm is available here:
http://isc.incidents.org/analysis.html?id=172
http://www.f-secure.com/v-descs/slapper.shtml
http://www.sarc.com

Sincerely,

Manuel F. Lanctot

=== insert log file extract here ===

----- Original Message -----
From: "Manuel Lanctot" <pacu at sympatico.ca>
To: <list at dshield.org>
Sent: Saturday, October 05, 2002 5:07 PM
Subject: Re: [Dshield] how to take down a 'bot-net' ?


> On Saturday 05 October 2002 03:21 pm, KeithTarrant wrote:
> > >So far, the methods I am using are:
> > >
> > >- notify owners of infected machines... mixed results here. It works
> > > great in some cases, not at all in others (depends on what machines
> > > are connected).
> >
> > When does it work best and when worst?  This would be a hint as to how
> > better communicate.  Is it english being a foreign language?  Too much
> > lingo?  Certain industries?
>
> This is what I send to those who have a website up with their email
adress and are infected by a Slapper variant.
>
> "Hi,
>
>     My name is Manuel and I live in Canada. Today, I received a probe
coming from your IP adress
> (xxx.xxx.xx.xx). It was coming from port 4156 and going to my port 4156.
> I'm sorry to tell you that but that means you have being infected by the
mod_ssl worm (also known as Linux.Slapper or just Slapper).
> I would suggest you to disable SSL on your server, or upgrade to the
newest version of mod_ssl (get it at http://www.apache.org).
>
> To learn more about this worm, check the Internet Storm Center at:
> http://isc.incidents.org/analysis.html?id=172
> And the F-Secure Antivirus website:
> http://www.f-secure.com/v-descs/slapper.shtml
>
> It will tell you how to see if you are infected and how to remove the
virus.
>
> Sincerely,
>
> Manuel F. Lanctot"
>
> On all the probes I'm receiving, 90% of hosts give me the standard
Apache test page ("If you can see this page, it means you successfully
installed Apache, etc.")
> but in 3 cases today only, I found the page of a small company, mostly
in Europe and Asia. I received no answers yet. I only hope the "victims"
won't think it's a
> hoax or call my ISP because they think I've sended them a virus. :-P
>
> Manuel F. Lanctot
> PACU Communications
>
>
>
>
>





More information about the list mailing list