[unisog] Help with notifications from a large irc bot list

John Kristoff jtk at northwestern.edu
Wed Feb 9 02:37:14 GMT 2005


On Tue, 08 Feb 2005 17:37:55 -0500
Justin Azoff <JAzoff at uamail.albany.edu> wrote:

> Is there a good way to go about handling this?

I've always felt the best thing to do is to feed this stuff into a
system like dshield or mynetwatchman.  This may require a little bit
of script fu on your part, but I'm sure a number of people here would
be willing to help whip something up if need be.  They already do the
reporting job for you and it doesn't seem worth it to reinvent that
wheel.

A few general comments on your find.

First, you may have just exposed who you are and your source host you
used to interrogate the rogue IRC server.  If the miscreants do some
rudimentary searches on identifying info of the server, channel or
user names, they may come across your URL.  While you may have masked
source host from us, they may have logs and you provided some specific
details including timestamps (though your timezone is unknown).

Second, we don't know what timezone your timestamps are.  Transient
hosts (e.g. dial, dhcp) may make it hard to associate to the specific
host/user for many of the addresses/names you've logged.

Third, poking at IRC servers (e.g. doing a /who #channame) while
may be seemingly helpful so you alert others who may have bots there,
that type of probing is often easily monitored, discovered and acted
upon by the miscreants.  I'd recommend you let the IP address admin
handle the data collection.  Alert them and ask for their assistance.
They can often do a more accurate job and do it from the cover of
passive monitoring using things like flow export, logs and packet
capture.  If they aren't responsive, that might be all the more reason
not to go probing on your own.  Find someone upstream or simply
report the rogue server to a trusted third party that can help work
with others to help address it (email me off list for some pointers
in this area).

As for people who complain about you having just provided people with
a large list of compromised machines for others to go compromise, I
say phooey.  Building a list of compromised hosts is as easy as
building a list of spamming hosts (often they are on in the same).
Anyone could build up their own list of compromised hosts within a
few days without trying.  Within a few minutes if they are.

Plus, malware often disables the well known, remotely exposed services
that may have been vulnerable in the first place so having a list may
not be all that useful if your intent is to take them over.

John



More information about the unisog mailing list