[unisog] DDoS IRC bots

Mike Iglesias iglesias at draco.acs.uci.edu
Thu Mar 6 15:52:30 GMT 2003

> Despite opinions that compromises commonly result from null passwords, I've
> so far been unable to verify that attack vector. I do have TCP 445 traffic
> that might have taken advantage of the lack of a password. However, my
> primitive honeypot is not well instrumented, so it's hard to determine the
> attackers' actions. I'm currently developing tools to remedy this lack.
> Meanwhile, I plan to deploy honeypots with and without passwords and
> thereby hope to determine if the absence of a password is an important
> factor.

Before we blocked the netbios ports at our border router, we saw lots
of Windows systems compromised that did not have IIS running, and did
not have a password on the administrator account.  There did not seem
to be any other vector that could account for the system being broken
in to and turned into a warez server or DDoS bot.  And, like you, we
saw port 445 traffic from outside into the system shortly before it
was compromised.  Once the system was reinstalled and a password
put on the administrator account, that system was not compromised
again.  Given the amount of port scanning that we were seeing, if
the original attack vector was not the administrator account with
no password, what was it?

Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list