[unisog] IRC bot outbreaks

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Mon Jul 29 18:40:08 GMT 2002


About a month ago we started to take more direct action against DCC-botted 
hacks.  Through a combo of IPAUDIT (a homegrown network analysis tool) and 
SNORT (looking for known DCC phrases and tftp connections) we usually jump 
on any new bots on our campus quickly, and hopefully we catch a few before 
they occur with regular scans for blank administrative passwords (which is 
still the most common way they gain access).

What we do then is to hang out in the IRC rooms that the bots were talking 
to, make long lists of other hacked .edu computers in those channels, and 
try to get in contact with those schools.  I have a student who dedicates 
a couple of hours per week to this now - hopefully we can make an impact 
in the coming months.

If you have any good tips for popular IRC servers/rooms with heavy bot 
activity, let me know and we will see if we can clean them up some.  This 
will take a concerted effort from many schools, but I have been happy with 
our results thus far.  In the last month we have identified over 100 
hacked computers at .edu's, contacted their administrators, and seen them 
removed from their networks.  Its not quite counter-hacking, but it seems 
to help.

(You can also fairly easily grab their IRC handles and passwords - usually 
with admin access to those channels, and their tftp servers, ftp drops, 
and ftp accounts with a bit of sniffing if you'd like to go one step 
further.)

I am sure I am preaching to the choir, but making sure all of your IPs 
have DNS entries, and that your ARIN registry is up to date would help 
make our job easier.  :-)  We still find .edu's with bouncing abuse@ 
address from time to time....

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Robert Dormer <rdormer at pobox.upenn.edu>
07/24/2002 02:29 PM

 
        To:     unisog at SANS.ORG
        cc: 
        Subject:        [unisog] IRC bot outbreaks


Hello all,

I'm just curious to know - what experiences have you all had
with backdoor trojans like netbus and subseven, and remote
controlled IRC bots?  Specifically, have any of you suffered from
large outbreaks of them, and if you did, how did you go about
containing them and educating users and other administrators
about them?


Regards,
Robert Dormer









More information about the unisog mailing list