Re: IRC, IM Proxy Implementations - Cornell

[Daniel Adinolfi <dra1 () CORNELL EDU>]

> Usually after sending in a notice I will see that the problem was fixed
> a few days later, but I'll never get a responce back.  I know the
> reason
> for that here: complaints are bounced around between departments until
> they get to the person in charge of the offending machine, but by then
> the original contact has usually been removed.
>
> maybe someone can poke cornell?
>
> (%:~)- host 128.253.153.155

All,

FYI, we at Cornell are working very hard to squash down IRC bots and
Command and Control servers in the last few weeks.  We have knocked off
two C&C systems in the last few days, and have knocked off over 100
bots on our ResNet since Friday (with many more to be done today).  The
bot listed above was caught but not cleaned properly.  It has since
been re-blocked.

Right now, the identification process involves NetFlow analysis mixed
with some nmap scans.  In the next few weeks, we will have QRadar up
and running, which will help us identify suspicious IRC traffic (on all
ports) and other indications of compromise (like rogue FTP servers on
weird ports).

If anyone has IP addresses that are in the Cornell IP space that are
either bots or C&C servers, please send the IP and any supporting data
you have to <security () cornell edu>.

Thanks.

-Dan

_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 () cornell edu   phone: 607-255-7657

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.