[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Worm phone home site question

To: odinanne <odinanne@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Worm phone home site question
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Tue, 27 Sep 2005 08:43:49 -0400

This is the phone home site for a worm found on the network. Any idea what service they are running on these ports or how to loggin or register?

Standard [AGO|SD|RX] bot stuff .. it's just an IRCd .. use mIRC, xCHAT, whatever ...

The channels are always invisible and password protected. Boot up an infected client while sniffing with [ethereal|tcpdump|dsniff] and you'll grab the channel name/password.

Usually there are 2 channels .. one to report infections, and one to recieve command/control. The command/control one affords the bots no "voice" so it's not like you can take over the channel logging in as a bot .. but with a little homework and immagination, you sure can ;)

(poses the typical ethical dillema .. can you hack into a botnet to shut it down? .. probably not --legally anyway-- .. best bet is always the whois route and try to track down the POC for the netblock. The folks at ISC (isc.sans.org) can usually lend a hand for the uncooperative ones.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Worm phone home site question
  - From: Andrew A

References:
- [Full-disclosure] Worm phone home site question
  - From: odinanne

Prev by Date: Re: [Full-disclosure] Worm phone home site question
Next by Date: [Full-disclosure] Third issue of the Zone-H Comics
Previous by thread: Re: [Full-disclosure] Worm phone home site question
Next by thread: Re: [Full-disclosure] Worm phone home site question
Index(es):
- Date
- Thread