Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH probe attack afoot?

From: "j () 65535 com" <j () 65535 com>
Date: Wed, 09 Feb 2005 11:27:52 +0000
Barrie Dempster wrote:

On Tue, 2005-02-08 at 18:25 +0000, Joe Egloff wrote:


In-Reply-To: <42089361.1010203 () yahoo com sg>

Matter of fact I did, but the amount of hosts is increasing. I'm currently assuming, that there some sort race going on. Seems 
like one or more groups trying to "expand" their bot nets.

Why bot nets? Well, on most of the systems I checked I found that the IRC ports are open or on other ports some IRC 
alike service is running.



bots as part of botnets don't generally setup IRC servers on their
hosts. They instead connect to an existing IRC server and join a meeting
point channel to be controlled, with single commands. Slightly hard to
control them if they all live on separate servers and you have to
connect to each individually.
But, as is quite often the case, someone who runs a botnet will load his own servers to host these bots, this gets round the problem that any legitimate irc network will close down bot channels when they get discovered by the server operators, and large channels are trivial for operators to discover. Even tho windows machines are most commonly used to run these bots, the servers for them almost invariably run on unix machines, and it makes sense that that would use lots of compromised servers with a common dns name pointing to them all, so that as the compromised machines are discovered and turned off, the bots can still be controlled... I have encountered many botnets configured in this way.
Previous By Date Next
Previous By Thread Next

Current thread: