Re: Worm phone home site question

[Michael Holstein <michael.holstein () csuohio edu>]

> This is the phone home site for a worm found on the network.  Any idea 
> what service they are running on these ports or how to loggin or register?

Standard [AGO|SD|RX] bot stuff .. it's just an IRCd .. use mIRC, xCHAT, 
whatever ...

The channels are always invisible and password protected. Boot up an 
infected client while sniffing with [ethereal|tcpdump|dsniff] and you'll 
grab the channel name/password.

Usually there are 2 channels .. one to report infections, and one to 
recieve command/control. The command/control one affords the bots no 
"voice" so it's not like you can take over the channel logging in as a 
bot .. but with a little homework and immagination, you sure can ;)

(poses the typical ethical dillema .. can you hack into a botnet to shut 
it down? .. probably not --legally anyway-- .. best bet is always the 
whois route and try to track down the POC for the netblock. The folks at 
 ISC (isc.sans.org) can usually lend a hand for the uncooperative ones.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/