[767] in resnet
DDoS attacks and zombies
daemon@ATHENA.MIT.EDU (Wendy Shih)
Mon Feb 4 22:13:46 2002
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <CEEPLCDFDPPNJFEBNBGOIEGICEAA.wshih@res.kent.edu>
Date: Mon, 4 Feb 2002 22:07:33 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Wendy Shih <wshih@RES.KENT.EDU>
To: RESNET-L@listserv.nd.edu
Recently, we had 2 DDoS attacks on campus and found a few computers on
campus were performing the attacks. We got hold of 3 computers. They
don't really have virus or Trojans. After a closer look, the computers are
"bots" controlled by a certain mIRC channel (I rather not say which here but
you can email me later for more info.) I got on the channel and see many of
other .edu ResNet computers (possibly yours too) all victims. So, this
channel has literally thousands of ips at the operators' disposal to use for
DDoS attacks, etc.,
Questions:
1. If you have the experience, please share how I should proceed next to
break this malicious operation.
2. The scripts and server files are big - over 1.5Mb. Do you know how were
they got installed on the computer? One of the owners said she just got
the computer in September. She has updated virus software and claimed never
download anything. She doesn't use any p2p software. The files were all
identical in 3 computers and all installed in the same directory.
Thanks.
Wendy Shih
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________