| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: DDavis at pivx.com (Dominique Davis) Subject: Botnets and tracking and busting scriptkiddies I think it was a great paper and very informative on the basics .I have had some experience with tracking down bot-nets and have found some techniques and methods that are very usefull when it comes to shutting down a bot net and tracking offenders. On a few occasions I have used the following tracking and stalking methods To hunt the script kiddie in its natural habitat.Keep in mind these are very basic but usefull. Detection The second you notice network traffic that is over irc ranges of ports 6000-7000 or suspect a bot .A sniffer is your friend Ethereal is a good choice to use to obtain the address of the destination hacked server as well as channel passes ,While normaly I would recommend dissaembly of the infected file /bot More and more bot authors are using things like morphine and custom cooked up encryption schemes /packers to keep their bots from being taken apart thus keeping you from the juicy hardcoded passwords and channel keys within . So 9 times out of 10 the best way to capture the ip-address of the master server and the channel names and passwords is via sniffer .Now once you have the ip address of the master server (the irc server all the bots are reporting to) the best thing to do is do an arin http://www.arin.net lookup and see who owns it most of the time you will find it is a third party who has also been hacked and has no idea why their server is running so slow. Immediately contacting abuse for their net provider is a must. After and only after contacting the proper authorities and the company that actually owns the machine being used as a master controller. If you have the permission of the second victim company to gain access to their server to help with tracking the offender you best bet for gathering intel is to impersonate one of the bots in question!!!! To do this you will need the following 1.a good irc client http://www.mirc.com make sure to turn logging and time stamping for both channels and private conversations 2.The server ip nick the bot is using when it logs in As well as the channel key and channel name These can be obtained by sniffing out going traffic Now here comes the fun part Power off the bot_infected machine and assume its ip address Do a /server victim ip server Now Pay attention to the messege of the day make sure your nick is set to that of the bot This will give you the irc server version How many users ,how long its been up (i.e how long has this machine been owned) What commands it supports ,and most importantly whether or not it masks ip addresses In the case of masked ip addresses i.e some versions of unreal ircd there are crackers and ways around this Now simply do a /join #badguyschan key The first thing you want here is the topic which will tell you what the Handel of the attacker is and what date he set up this bot net If he is in channel do a /uwho and a /dns to get his ip to hand over to the victim companies and or the feds for a quick crucifiction , If said bad guy is not there do a /list to see other channs To join also putting him on /notify is a good idea Other useful ideas are a /whowas However if you get something like a masked ip which will look like badguy@...34tnefgnei4t garbage string here you have 3 options Leave it to the sys admins to look through their logs for connections to that port range at that time or Look for an an exploit that allows you to unmask the ip`s Unreal ircd has been known to have a few of these, or try a little legwork join several of the larger irc servers like efnet,dalnet,undernet etc in Separate instances of mirc witrh the bad guys nick on notify and keep doing /whowas for his and variations of the bot nicks With his nick notify for all of em from here its just a matter of waiting for his login to dalnet or efnet which don't have ip masking to coincide with his login to the infected system then get do a /dns on the other network and viola you got em. However if there is no ip masking on the victim machines irc server You just do a /who badguy and then a /who *bootnamevaraint because Bots usually end up sequentially numbered after their initial name Ie flooder12234 flooder 122345 and so on and not only have you caught the script kiddies in question but you also now have the ip`s of all the folks who are infected as well to help the proper authorities clean up the mess Dominique Davis aka Mister Mojo PivX Solutions, Inc. Qwik Fix Pro is now available for purchase: http://www.pivx.com/qwikfixPurchase/ -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of phased Sent: Monday, March 14, 2005 9:22 AM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets(ThorstenHolz) no they didnt, shit paper, nothing new, absolute crap just publicity bollocks -----Original Message----- From: David Jungerson <david-jungerson@....de> To: full-disclosure@...ts.grok.org.uk Date: Mon, 14 Mar 2005 16:26:39 +0100 Subject: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) > > You guys did a tremendous job! > > (Go away, trolls!) > > David Jungerson > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://www.secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Powered by blists - more mailing lists