[Dshield] DShield's Public Goals

Sean Smith ssmith at kwqc.com
Fri Jan 13 15:06:58 GMT 2006


On the other hand, If I remember correctly, the default for programs
like MIRC, IS 6667....  Anyone have any comments on that?

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Harry Hoffman
Sent: Sunday, January 08, 2006 10:28 AM
To: General DShield Discussion List
Subject: Re: [Dshield] DShield's Public Goals

Hi,

I can say that in almost all cases of infected machines that I see at
work (a .edu) irc communications do not happen on port 6667.

That's not to say that large amounts of botnet traffic don't happen on
6667 but rather there is a significant amount of traffic occurring that
use other ports.

Cheers,
Harry

dshield.org at keithbergen.com wrote:
> I am an operator on one of the more smaller IRC networks, and I have 
> seen many botnets that use 6667. They almost never seem to use 
> anything else. I presumed that this is because you can always count on

> that port being open, whereas the other ports are only open on a
network-by-network basis.
> Admittedly, most networks have 6668-6669, and often 6663-6666 as well,

> but not always. Another explanation is that a lot of these smaller 
> botnets are being run by a less experienced person, and they don't 
> know about other ports.
> 
> One caveat, I haven't had the misfortune to come up against one of 
> these really big botnets. Most of the ones that attack us are under 
> the 1,000 bots mark.
> 
> One thing that may work: these botnets often have 
> irc.[network-name].org in their "config" files. If one were to block 
> irc.*.org on 666*, then the user would still be able to connect to the

> servers of choice, but they would need to use the name ... Such as 
> dshield.[network-name].org or city.state.country.[network-name].org.
> 
> Just a couple thoughts,
> 
> 
> Keith.
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Jeff Kell
> Sent: Thursday, January 05, 2006 12:07 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] DShield's Public Goals
> 
> 
> stu wrote:
> 
>>So my ISP will now block port 6667 to stop me from connecting to an 
>>IRC server and the bot code gets modified to use port 6668? While 
>>users complain IRC isn't working?
> 
> 
> You're much better off allowing 6667 and blocking IRC traffic on any 
> other port :-)
> 
> I think I have seen *one* botnet that used 6667.
> 
> Jeff
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription 
> options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription 
> options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list