lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Sep 27 13:45:21 2005
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: Worm phone home site question

> This is the phone home site for a worm found on the network.  Any idea 
> what service they are running on these ports or how to loggin or register?

Standard [AGO|SD|RX] bot stuff .. it's just an IRCd .. use mIRC, xCHAT, 
whatever ...

The channels are always invisible and password protected. Boot up an 
infected client while sniffing with [ethereal|tcpdump|dsniff] and you'll 
grab the channel name/password.

Usually there are 2 channels .. one to report infections, and one to 
recieve command/control. The command/control one affords the bots no 
"voice" so it's not like you can take over the channel logging in as a 
bot .. but with a little homework and immagination, you sure can ;)

(poses the typical ethical dillema .. can you hack into a botnet to shut 
it down? .. probably not --legally anyway-- .. best bet is always the 
whois route and try to track down the POC for the netblock. The folks at 
  ISC (isc.sans.org) can usually lend a hand for the uncooperative ones.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ