Comments on: Bot Networks: Jacking the Jackers http://www.rfxn.com/bot-networks-jacking-the-jackers/  Linux Software & Blog Thu, 26 Jan 2012 07:01:13 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Brad http://www.rfxn.com/bot-networks-jacking-the-jackers/#comment-10357 Brad Fri, 22 Jul 2011 18:39:23 +0000 http://www.rfxn.com/?p=589#comment-10357 I love it! I run an IRCd company.. were constantly trying to keep on top of these kiddies.. We've gotten to the point that I have alerts smsed to me if our bandwidth spikes to more than double a past few hours average... I usually can expect some sort of service issues and can hop on and block traffic if something happens. I've also had to experience a C&C network being hosted on my server... guy thought he was all that locking the server down.. when we turned off the actual ircd process he never came back to turn it on.. but we knew he was the root cause.. I really wish there was a way to scan files they upload and then modify.. I love it! I run an IRCd company.. were constantly trying to keep on top of these kiddies.. We’ve gotten to the point that I have alerts smsed to me if our bandwidth spikes to more than double a past few hours average… I usually can expect some sort of service issues and can hop on and block traffic if something happens.

I’ve also had to experience a C&C network being hosted on my server… guy thought he was all that locking the server down.. when we turned off the actual ircd process he never came back to turn it on.. but we knew he was the root cause..

I really wish there was a way to scan files they upload and then modify..

]]> By: Pascal http://www.rfxn.com/bot-networks-jacking-the-jackers/#comment-3928 Pascal Wed, 24 Nov 2010 18:30:44 +0000 http://www.rfxn.com/?p=589#comment-3928 I'd like to have your knowledge as, for it takes me long long time, to find I've been attack, and more long to understand how/why and long time to recreate a fresh/clean server. Last one was a S99lvm in /etc/rc3.d/ which one launched a pscd process which connect to ns10.dnetnoc.net:ircd Bad bad one. Not find yet how they had root access. What I know, is S99lvm having a CWD of /root, using libresolv.so, having its file descriptors set to a pseudo-terminal (instead of /dev/null) and being run by root. I’d like to have your knowledge as, for it takes me long long time, to find I’ve been attack, and more long to understand how/why and long time to recreate a fresh/clean server.

Last one was a S99lvm in /etc/rc3.d/ which one launched a pscd process which connect to ns10.dnetnoc.net:ircd

Bad bad one. Not find yet how they had root access. What I know, is S99lvm having a CWD of /root, using libresolv.so, having its file descriptors set to a pseudo-terminal (instead of /dev/null) and being run by root.

]]>