[unisog] IRC bot outbreaks

Anderson Johnston andy at umbc.edu
Thu Jul 25 13:58:53 GMT 2002


We've also got Snort checking for outgoing TFTP connection attempts.
That's another tip-off.

On Thu, 25 Jul 2002, Gerry Sneeringer wrote:

>
>
> On Wed, 24 Jul 2002, Anderson Johnston wrote:
> > We're crawling with them.  I use the daily reports from the NIDS and
> > Netflow to pick out the worst offenders bandwidth-wise, hunt them down (we
> > have a lot of address pools), and verify the compromise.
>
> We too see more than our fair share of these Bots.  All of the ones that
> we have seen use XDCC to distribute files and broadcast instructions on
> obtaining those files to the IRC channel on a regular basis.  So, we added
> a rule to our Snort box to match on packets containing the string "xdcc
> send \#x" destined for port 6667.  It isn't perfect, but now we usually
> get alerted to the presence of a Bot before it sets off the excessive
> bandwidth alarms.  Implementing a ban on inbound NetBIOS traffic before
> the start of the Fall is a very high priority.
>
> -Gerry
>
> ---
> Gerry Sneeringer
> IT Security Officer
> University of Maryland, College Park
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list