Full Disclosure mailing list archives
Re: Worm phone home site question
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Tue, 27 Sep 2005 08:43:49 -0400
This is the phone home site for a worm found on the network. Any idea what service they are running on these ports or how to loggin or register?
Standard [AGO|SD|RX] bot stuff .. it's just an IRCd .. use mIRC, xCHAT, whatever ...
The channels are always invisible and password protected. Boot up an infected client while sniffing with [ethereal|tcpdump|dsniff] and you'll grab the channel name/password.
Usually there are 2 channels .. one to report infections, and one to recieve command/control. The command/control one affords the bots no "voice" so it's not like you can take over the channel logging in as a bot .. but with a little homework and immagination, you sure can ;)
(poses the typical ethical dillema .. can you hack into a botnet to shut it down? .. probably not --legally anyway-- .. best bet is always the whois route and try to track down the POC for the netblock. The folks at ISC (isc.sans.org) can usually lend a hand for the uncooperative ones.
Cheers, Michael Holstein CISSP GCIA Cleveland State University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Worm phone home site question odinanne (Sep 27)
- Re: Worm phone home site question ggfirst (Sep 27)
- Re: Worm phone home site question Michael Holstein (Sep 27)
- Re: Worm phone home site question Andrew A (Sep 27)
- Re[2]: Worm phone home site question phased (Sep 27)
- Re: Worm phone home site question Andrew A (Sep 27)