[unisog] IRC bot outbreaks

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Wed Jul 31 21:21:46 GMT 2002

A few people privately asked what steps we took to locate bots and contact 
their networks, so I had that student (Aliza) write up what she does.  It 
seems to work pretty well so far - although I want to automate more if it 
if we can find time.  Right now it is a lot of pointing-and-clicking.

IRC Bot Procedure.

1.  Use information gathered from the config files from hacked boxes on 
campus (or sniffed out of traffic), or the /list command in IRC to find 
popular distribution channels.  These are usually at the top of the /list 
with the highest number of users, and often have X-DCC, DCC, XVID, 0DAY, 
or other obvious names or details.
2.  Do a "/whois" on all bots with the generic names in that channel (like 
+X-DCC_322).  To make things easier, change your double click options 
under Options/Mouse.  In the field for Nick list, type in "/whois $1". 
Now, when you double click on a name in the channel nick list the whois 
will run automatically.
3.  Check the whois output for all addresses that have either a *.edu (do 
a DNS lookup for the specific IP address) or that have no host name, and 
check their  ARIN record to see where that bot is running. ( www.arin.net, 
www.samspade.org )
4.  Create a list of all the *.edu bots that are found with their IP 
address, bot name, room, and time of discovery.  Using a spreadsheet will 
allow you to sort your findings by school much faster.
5.  Contact the schools that have 3+ bots listed, or at your discretion. 
The email that you send out should be generic and to the point, so that it 
is easy to change only the specific details for each school.  The 
recipients should be to abuse@*.edu, security@*.edu, whoever is listed in 
the ARIN information, and a copy to yourself/organization.  If this 
bounces or it looks like the information listed in ARIN might be too old, 
look up the security or network contact information for that school on 
their website for additional recipients, and try postmaster@ and 
webmaster at .  If all of those bounce too pick up the phone.

If anyone gets real serious about doing this tell me and we can coordinate 
efforts.  Depending on how large of a problem this becomes after students 
return I am considering stepping up our response.

And, as always, if anyone has an easier way to do this I am sure Aliza 
would appreciate it. ;-)


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

More information about the unisog mailing list