[unisog] DDoS IRC bots

Chris Gundersen cgunders at utk.edu
Fri Mar 7 02:33:08 GMT 2003


Might want to look at this worm (W32.HLLW.Lioten) as a possible culprit:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lioten.html

I'd particularly be interested in whether or not your target machines have IP 
addresses in that (strangely limited) range described in the write-up.

-Gunny


>===== Original Message From Bill McCarty <bmccarty at apu.edu> =====
>--On Thursday, March 06, 2003 7:57 AM -0800 Peter Van Epp <vanepp at sfu.ca>
>wrote:
>
>> 	I would have thought that a machine running tcpdump with a snap length
>> of 1510 (assuming Ethernet as input) to capture all packets in and out of
>> the honeypot machine's ethernet interface (without an IP address on the
>> interface doing the sniffing to prevent it being compromised!) would be
>> the first element  of your honeypot simply for liability reasons.
>
>Yes, as you suggest, the honeynet has redundant monitoring and logging of
>all traffic, plus multiple firewalls that can control inbound and outbound
>traffic. But, I'm not (yet) a Windows expert and so I haven't been able to
>thoroughly analyze the CIFS traffic on TCP 445. Aspects of the CIFS
>protocol are apparently proprietary to Microsoft, though some partial and
>possibly out of date descriptions seem to be publicly available.
>Consequently, I can determine the presence of TCP 445 traffic; but
>accurately and completely determining its contents and effect is another
>matter. So far <grin>.
>
>If anyone knows of an open source CIFS analyzer, I'd very much like to hear
>of it. Otherwise, I'm stuck having to cobble one together in my limited
>spare time.
>
>BTW, a known defect in Snort 1.9.0 can lead to remote compromise of even a
>system configured for passive sniffing. This vulnerability was the subject
>of DHS/NIPC Advisory 03-00. I speculate that tcpdump may contain
>undisclosed  or unknown vulnerabilities that are similarly exploitable. So,
>reliably monitoring a honeynet is not at all straightforward.
>
>Cheers,
>
>
>---------------------------------------------------
>Bill McCarty, Ph.D.
>Associate Professor of Web & Information Technology
>School of Business and Management
>Azusa Pacific University

------------------------------
Chris Gundersen, A+, MCP
gunny at utk.edu
865.974.0649
------------------------------



More information about the unisog mailing list