[Dshield] Dalnet being uses as a C&C server

Jeffrey.Stebelton at bisys.com Jeffrey.Stebelton at bisys.com
Wed Jun 20 20:14:23 GMT 2007


I'm impressed. Good work guys!

Jeff Stebelton, GCIA GCIH CEH ESSE
Network Security Manager
BISYS Fund Services
614-470-8249 (work)
jeff.stebelton \at/ bisys.com



                                                                           
             Gary                                                          
             <gary at dal.net>                                                
             Sent by:                                                   To 
             list-bounces at list         "General DShield Discussion List"   
             s.dshield.org             <list at lists.dshield.org>            
                                                                        cc 
                                                                           
             06/20/2007 03:45                                      Subject 
             PM                        Re: [Dshield] Dalnet being uses as  
                                       a C&C server                        
                                                                           
             Please respond to                                             
              General DShield                                              
              Discussion List                                              
             <list at lists.dshie                                             
                  ld.org>                                                  
                                                                           
                                                                           




On DALnet, the team responsible for handling botnets,
exploited/compromised hosts is the Exploits Prevention team. The
abuse at dal.net address is for general abuse issues - the mails are
read, and forwarded on to the relevant teams. The quickest way to
contact the Exploits Prevention team is through our online form at
http://kline.dal.net/exploits/contact.htm. Reports submitted through
that form will get a quicker reply/resolution than those emailed to
abuse at dal.net.

You can also connect to DALnet and contact any member of the Exploits
Prevention team directly. The nicks of the team members are:

aHa
Alaskaguy
Bagheera
byrnsy
Car`a`carn
gary
Jim-mm
key
Kobi_S
lorddracula
robt
traumatic
WhatWhat
Zvonarek

Obviously, if there's a botnet operating from our servers, we don't
want it there. The sooner we hear about it, the sooner we can put them
out of business. It took us 5 hours to shut this one down, which is an
excellent response time. I've dealt with ISPs, with dedicated, paid
staff who don't react as quickly. Notifying us through either the
form, or contacting us directly on DALnet, would cut that time down
even further.

Please, don't hesitate to let us know if you find a botnet, or even
_suspect_ that there's a botnet operating on our servers. We take such
things very seriously, and will investigate immediately.

-gary
punch.va.us.dal.net
DALnet Exploits Prevention Team



On 20/06/07, Dalvenjah FoxFire <dalvenjah at dal.net> wrote:
> Hello,
>
> I'd just like to chime in on this thread. I want to point out that
> DALnet first received notice of this issue at abuse at dal.net at 4:45PM
PDT;
> the channel involved was blocked from use at 10:05PM PDT. That's what I
> would consider an excellent 5 hour response time; it also appears from
this
> thread that confirmation was received that action was taken at around
> the same time.
>
> The apparent continuing discussion of "well I don't know if I trust that,
> let's pursue blocking DALnet" troubles me. As someone who has for upwards
> of ten years tried to get ISPs to harden their configurations and remove
> abusers, I would be very happy with a 24 hour response time, let alone 5
hours.
>
> I would like to point out that DALnet is entirely volunteer, and it does
> not have a 24/7 NOC or abuse desk. We haven't always been perfect at
> responding to abuse issues, but we do try our best, and I like to think
> we're one of the better ones.
>
> I applaud what you guys are doing and appreciate that chasing botnets
> is a thankless job -- but I would ask you to reserve the harshest
> countermeasures for the truly nonresponsive sites, and not use the
> "well I've got a hammer, everything looks like a nail" approach.
>
> If there are still abusive users using DALnet in regards to botnets
> that we aren't aware of, please do e-mail abuse at dal.net or contact
> someone on IRC, and we'll address the issue.
>
> Thanks in advance,
>
> -dalvenjah
>
> --
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>


--
gary
_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)


============================================
STATEMENT OF CONFIDENTIALITY

The information contained in this electronic message and any attachments to
this message are intended for the exclusive use of the addressee(s) and may
contain confidential or privileged information. No representation is made
on its accuracy or completeness of the information contained in this
electronic message.  Certain assumptions may have been made in the
preparation of this material as of this date, and are subject to change
without notice.  If you are not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this e-mail and
any attachment(s) is strictly prohibited.

Please reply to the sender and destroy all copies of this message and any
attachments from your system.




More information about the list mailing list