[Dshield] how to take down a 'bot-net' ?
keithtarrant at spamcop.net
Sun Oct 6 18:28:10 GMT 2002
Hi Manuael - How about this model letter?
Subject: Your computer 188.8.131.52 is infected with virus/worm
I am sad to inform you that your computer at the above IP address appears
to be infected with the "mod_ssl" worm (also known as "Linux.Slapper" and
"Slapper"). A log file extract is at the bottom of this email.
You can get detailed step-by-step instructions on how to confirm the
computer is infected and how to cure the computer here:
Information on slapper in Deutsche, Espanol, Francais and Japanese is
Additional information on the mod_ssl worm is available here:
Manuel F. Lanctot
=== insert log file extract here ===
----- Original Message -----
From: "Manuel Lanctot" <pacu at sympatico.ca>
To: <list at dshield.org>
Sent: Saturday, October 05, 2002 5:07 PM
Subject: Re: [Dshield] how to take down a 'bot-net' ?
> On Saturday 05 October 2002 03:21 pm, KeithTarrant wrote:
> > >So far, the methods I am using are:
> > >
> > >- notify owners of infected machines... mixed results here. It works
> > > great in some cases, not at all in others (depends on what machines
> > > are connected).
> > When does it work best and when worst? This would be a hint as to how
> > better communicate. Is it english being a foreign language? Too much
> > lingo? Certain industries?
> This is what I send to those who have a website up with their email
adress and are infected by a Slapper variant.
> My name is Manuel and I live in Canada. Today, I received a probe
coming from your IP adress
> (xxx.xxx.xx.xx). It was coming from port 4156 and going to my port 4156.
> I'm sorry to tell you that but that means you have being infected by the
mod_ssl worm (also known as Linux.Slapper or just Slapper).
> I would suggest you to disable SSL on your server, or upgrade to the
newest version of mod_ssl (get it at http://www.apache.org).
> To learn more about this worm, check the Internet Storm Center at:
> And the F-Secure Antivirus website:
> It will tell you how to see if you are infected and how to remove the
> Manuel F. Lanctot"
> On all the probes I'm receiving, 90% of hosts give me the standard
Apache test page ("If you can see this page, it means you successfully
installed Apache, etc.")
> but in 3 cases today only, I found the page of a small company, mostly
in Europe and Asia. I received no answers yet. I only hope the "victims"
won't think it's a
> hoax or call my ISP because they think I've sended them a virus. :-P
> Manuel F. Lanctot
> PACU Communications
More information about the list