Security Incidents mailing list archives
Re: SSH probe attack afoot?
From: "j () 65535 com" <j () 65535 com>
Date: Wed, 09 Feb 2005 11:27:52 +0000
Barrie Dempster wrote:
On Tue, 2005-02-08 at 18:25 +0000, Joe Egloff wrote:In-Reply-To: <42089361.1010203 () yahoo com sg> Matter of fact I did, but the amount of hosts is increasing. I'm currently assuming, that there some sort race going on. Seems like one or more groups trying to "expand" their bot nets. Why bot nets? Well, on most of the systems I checked I found that the IRC ports are open or on other ports some IRC alike service is running.bots as part of botnets don't generally setup IRC servers on their hosts. They instead connect to an existing IRC server and join a meeting point channel to be controlled, with single commands. Slightly hard to control them if they all live on separate servers and you have to connect to each individually.
But, as is quite often the case, someone who runs a botnet will load his own servers to host these bots, this gets round the problem that any legitimate irc network will close down bot channels when they get discovered by the server operators, and large channels are trivial for operators to discover. Even tho windows machines are most commonly used to run these bots, the servers for them almost invariably run on unix machines, and it makes sense that that would use lots of compromised servers with a common dns name pointing to them all, so that as the compromised machines are discovered and turned off, the bots can still be controlled... I have encountered many botnets configured in this way.
Current thread:
- Re: SSH probe attack afoot?, (continued)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 12)
- Re: SSH probe attack afoot? Stephen J. Smoogen (Feb 12)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 16)
- Re: SSH probe attack afoot? Joe Egloff (Feb 07)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Tim (Feb 08)
- Re: SSH probe attack afoot? Frank Knobbe (Feb 08)
- Re: SSH probe attack afoot? Matt Fisher (Feb 09)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Joe Egloff (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)
- Re: SSH probe attack afoot? j () 65535 com (Feb 09)
- Chinese HTTP ACKs David Gillett (Feb 09)
- Re: Chinese HTTP ACKs Frank Knobbe (Feb 09)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 12)