[768] in resnet
Re: DDoS attacks and zombies
daemon@ATHENA.MIT.EDU (Curtis Kline)
Mon Feb 4 23:26:32 2002
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <EF6375215231544B87FD58A965410B8A96560C@exchange.housing.ucsb.edu>
Date: Mon, 4 Feb 2002 20:01:53 -0800
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Curtis Kline <ckline@HOUSING.UCSB.EDU>
To: RESNET-L@listserv.nd.edu
Wendy,
One place to look for further help: There's a great mailing list out there dedicated to network security issues on college campuses. Send an email to: unisog-subscribe@sans.org to join. There are really sharp folks on that list who know all there is to know about forensics of compromised hosts.
Of course, some of those folks may be hanging around here somewhere, too.
It's likely that the people on the unisog list would love to hear about this exploit.
Curtis
______________________________________
Curtis Kline
Residential Network Coordinator
UC Santa Barbara
-----Original Message-----
From: Wendy Shih [mailto:wshih@RES.KENT.EDU]
Sent: Monday, February 04, 2002 7:08 PM
To: RESNET-L@listserv.nd.edu
Subject: DDoS attacks and zombies
Recently, we had 2 DDoS attacks on campus and found a few computers on
campus were performing the attacks. We got hold of 3 computers. They
don't really have virus or Trojans. After a closer look, the computers are
"bots" controlled by a certain mIRC channel (I rather not say which here but
you can email me later for more info.) I got on the channel and see many of
other .edu ResNet computers (possibly yours too) all victims. So, this
channel has literally thousands of ips at the operators' disposal to use for
DDoS attacks, etc.,
Questions:
1. If you have the experience, please share how I should proceed next to
break this malicious operation.
2. The scripts and server files are big - over 1.5Mb. Do you know how were
they got installed on the computer? One of the owners said she just got
the computer in September. She has updated virus software and claimed never
download anything. She doesn't use any p2p software. The files were all
identical in 3 computers and all installed in the same directory.
Thanks.
Wendy Shih
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________