Full Disclosure mailing list archives
Re[2]: Botnets and tracking and busting scriptkiddies
From: Egoist <mastah () phreaker net>
Date: Mon, 14 Mar 2005 23:35:12 +0300
Hello Dominique, Monday, March 14, 2005, 11:13:33 PM, you wrote: DD> I think it was a great paper and very informative on the basics .I have DD> had some experience with tracking down bot-nets and have found some DD> techniques and methods that are very usefull when it comes to shutting DD> down a bot net and tracking offenders. DD> On a few occasions I have used the following tracking and stalking DD> methods DD> To hunt the script kiddie in its natural habitat.Keep in mind these are DD> very basic but usefull. DD> Detection DD> The second you notice network traffic that is over irc ranges of ports DD> 6000-7000 or suspect a bot .A sniffer is your friend Ethereal is a good Smile here. DD> choice to use to obtain the address of the destination hacked server as DD> well as channel passes ,While normaly I would recommend dissaembly of DD> the infected file /bot More and more bot authors are using things like DD> morphine and custom cooked up encryption schemes /packers to keep their DD> bots from being taken apart thus keeping you from the juicy hardcoded DD> passwords and channel keys within . DD> So 9 times out of 10 the best way to capture the ip-address of the DD> master server and the channel names and passwords is via sniffer .Now DD> once you have the ip address of the master server (the irc server all DD> the bots are reporting to) the best thing to do is do an arin DD> http://www.arin.net DD> lookup and see who owns it most of the time you will find it is a third DD> party who has also been hacked and has no idea why their server is DD> running so slow. Immediately contacting abuse for their net provider is DD> a must. DD> After and only after contacting the proper authorities and the company DD> that actually owns the machine being used as a master controller. If you DD> have the permission of the second victim company to gain access to their DD> server to help with tracking the offender you best bet for gathering DD> intel is to impersonate one of the bots in question!!!! DD> To do this you will need the following DD> 1.a good irc client DD> http://www.mirc.com DD> make sure to turn logging and time stamping for both channels and DD> private conversations DD> 2.The server ip nick the bot is using when it logs in DD> As well as the channel key and channel name DD> These can be obtained by sniffing out going traffic DD> Now here comes the fun part DD> Power off the bot_infected machine and assume its ip address DD> Do a /server victim ip server DD> Now Pay attention to the messege of the day DD> make sure your nick is set to that of the bot DD> This will give you the irc server version DD> How many users ,how long its been up (i.e how long has this machine been DD> owned) What commands it supports ,and most importantly whether or not it DD> masks ip addresses In the case of masked ip addresses i.e some versions DD> of unreal ircd there are crackers and ways around this DD> Now simply do a /join #badguyschan key DD> The first thing you want here is the topic which will tell you what the DD> Handel of the attacker is and what date he set up this bot net DD> If he is in channel do a /uwho and a /dns to get his ip to hand over to DD> the victim companies and or the feds for a quick crucifiction , DD> If said bad guy is not there do a /list to see other channs DD> To join also putting him on /notify is a good idea DD> Other useful ideas are a /whowas DD> However if you get something like a masked ip which will look like DD> badguy@43534tnefgnei4t garbage string here you have 3 options DD> Leave it to the sys admins to look through their logs for connections to DD> that port range at that time or DD> Look for an an exploit that allows you to unmask the ip`s DD> Unreal ircd has been known to have a few of these, or try a little DD> legwork DD> join several of the larger irc servers like efnet,dalnet,undernet etc in DD> Separate instances of mirc witrh the bad guys nick on notify and keep DD> doing /whowas for his and variations of the bot nicks DD> With his nick notify for all of em from here its just a matter of DD> waiting for his login to dalnet or efnet which don't have ip masking to DD> coincide with his login to the infected system then get do a /dns on the DD> other network and viola you got em. DD> However if there is no ip masking on the victim machines irc server DD> You just do a /who badguy and then a /who *bootnamevaraint because DD> Bots usually end up sequentially numbered after their initial name DD> Ie flooder12234 flooder 122345 and so on and not only have you caught DD> the script kiddies in question but you also now have the ip`s of all the DD> folks who are infected as well to help the proper authorities clean up DD> the mess DD> Dominique Davis aka Mister Mojo DD> PivX Solutions, Inc. DD> Qwik Fix Pro is now available for purchase: DD> http://www.pivx.com/qwikfixPurchase/ DD> -----Original Message----- DD> From: full-disclosure-bounces () lists grok org uk DD> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of phased DD> Sent: Monday, March 14, 2005 9:22 AM DD> To: full-disclosure () lists grok org uk DD> Subject: Re: [Full-disclosure] Re: Know Your Enemy: Tracking DD> Botnets(ThorstenHolz) DD> no they didnt, shit paper, nothing new, absolute crap just publicity DD> bollocks DD> -----Original Message----- DD> From: David Jungerson <david-jungerson () web de> DD> To: full-disclosure () lists grok org uk DD> Date: Mon, 14 Mar 2005 16:26:39 +0100 DD> Subject: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets DD> (ThorstenHolz)
You guys did a tremendous job! (Go away, trolls!) David Jungerson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
DD> _______________________________________________ DD> Full-Disclosure - We believe in it. DD> Charter: http://lists.grok.org.uk/full-disclosure-charter.html DD> Hosted and sponsored by Secunia - http://www.secunia.com/ DD> _______________________________________________ DD> Full-Disclosure - We believe in it. DD> Charter: http://lists.grok.org.uk/full-disclosure-charter.html DD> Hosted and sponsored by Secunia - http://www.secunia.com/ pivx again. shit i will never even look at your "solutions" after this so "professional" article. -- Best regards, Egoist mailto:mastah () phreaker net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Botnets and tracking and busting scriptkiddies Dominique Davis (Mar 14)
- Re: Botnets and tracking and busting scriptkiddies Michael Holstein (Mar 14)
- Re[2]: Botnets and tracking and busting scriptkiddies Egoist (Mar 14)
- Re: Botnets and tracking and busting scriptkiddies Michael Holstein (Mar 14)