[Dshield] IRC BotNet Connection Question
eslerj at gmail.com
Fri Aug 26 19:20:12 GMT 2005
Yes, usually in a packet dump you can see the password. If you
provide a pcap, or an ascii dump of the traffic, it's easy to point
out the password.
On Aug 26, 2005, at 2:27 PM, McAndrews, Michael wrote:
> I am a security professional at a global corporation and each month we
> get hit with 2 or 3 new viruses. Often times we can identify an
> infected machine by the anomalous behavior and quite often we are able
> to locate the infection, place a copy in a test environment and
> it. This is usually when we submit it to our virus protection vendor.
> So far this year we've been the first to submit 37 new pieces of
> to our vendor. That's the good news...
> The bad news is a lot of these viruses use IRC and try to join
> Of course, all the warning bells sound and we try to stop them at the
> firewall but sometimes we let a control machine go through just to see
> what happens.
> Here's my question: Once we identify a target IRC server and a
> (if we're lucky) we'll usually try to connect and see what's happening
> out there. Many times we connect without a problem but sometimes
> we get
> a password mismatch error. I'll modify my nick to fit their
> (recently USA|######) but it still doesn't work. Does anyone know how
> these servers are identifying the clients and denying others? Are
> somehow passing a password in the connection string? If so, is a
> capture the best way to see it?
> Thanks in advance!
> BTW - Here' an example: A client connected to an IRC server at
> 18.104.22.168 on port 8899 this morning. The channel was #mktr
> and the
> nick was ESP|######. When I connect I am denied due to password
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://
More information about the list