[unisog] DDoS IRC bots

Bill McCarty bmccarty at apu.edu
Thu Mar 6 21:52:57 GMT 2003

> Before we blocked the netbios ports at our border router, we saw lots
> of Windows systems compromised that did not have IIS running, and did
> not have a password on the administrator account.  There did not seem
> to be any other vector that could account for the system being broken
> in to and turned into a warez server or DDoS bot.  And, like you, we
> saw port 445 traffic from outside into the system shortly before it
> was compromised.  Once the system was reinstalled and a password
> put on the administrator account, that system was not compromised
> again.  Given the amount of port scanning that we were seeing, if
> the original attack vector was not the administrator account with
> no password, what was it?

I don't mean to imply that null passwords are good <grin>, that systems
having null passwords aren't easily compromised, that systems having null
passwords aren't commonly compromised, or anything of that sort. I mean
only that I haven't yet verified the null password attack vector as present
on my honeynet, whereas the other attack vectors I mentioned are definitely
present. I agree that, in your case, null passwords seem to have been the
attack vector. I apologize for any lack of clarity on my part.


Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management 
Azusa Pacific University

More information about the unisog mailing list