lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0412042048090.17628-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: What to do with bot networks

On Fri, 3 Dec 2004, Conor Sibley wrote:

> It all started yesterday when one of my servers got hacked.  An ssh
> phisher got lucky and found an account with a weak password open on my
> server.  Two shellcode attempts later they had full access via root.
> They ran a super scanner and started an Energy Mech variant which
> connected back to their bot network.  This is where my dilemma
> started??? so I logged onto the bot network and lo-and-behold hundreds
> start responding.  I'm reasonably sure that this network will be used
> "4-3v1l && !G00D" so, the question I am asking myself is: "What next".
>
> -Do I disable the network
> This is a huge network that is likely used for DDOSing.  If you've
> ever been DOSed... it sux.


Always, till the system has been repaired or restored or reinstalled and
patched to prevent another compromise.



>
> -Do I report to ISP or authorities
> The ISP is in an eastern European country and I don't know if the
> local authorities would do anything let alone care.
>

Reporting to the ISP if you have enough info for them to act on would
certainly be a benefit for you and fellow clients of the ISP, if you have
IP specific, they can setup blocks in the routers to limit/prevent further
client compromise.  They can also then take over and do all or most of the
reporting/notification to others from that point on.  They may contact you
further to gleen more info from you, save all logs if going this route.

> -Do I do nothing
> This option sucks but it sure is the easiest
>



If you are not technically savvy enough to know if you have logged
anything useful to you and or others, this might have to be your option
while learning more should there be future strikes of this and related
sorts.

So, in derteminging how to repond these are the steps;

1) Always disconnect while cleaning up.fixing/patching, otherwise you
might well lose control of those steps, let alone you are now a risk to
all your internet neighbors.

2) determining if it's worth any effort in informing/involving others
depends upon a number of sub factor;

	a>  skills of the admin
	b>  logs/evidence related to the compromise that could be used to
	block/trace/warn others of what's happening from where.  Lacking
	info, while even try?  It will likely make you sound like the
	clueless person you might be, <see a above>.
	c>  another factor here depends upon if this is a home/soho
	user/net or a place of employment incident.  home/soho users can
	use the above guidlines, company empyees have to deal with their
	appropriate support centers within the organization, those support
	centers will know what the policies and proceedures are for the
	company and take appropiate actions.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ