To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
>> in other words any advice is welcome ;]
>
>
> $ whois 12.205.151.144
> AT&T WorldNet Services ATT (NET-12-0-0-0-1)
> 12.0.0.0 - 12.255.255.255
> Mediacom Communications Corp MEDIACOMCC-12-205-148-0-CEDAR-RAPIDS-IA
> (NET-12-205-148-0-1)
> 12.205.148.0 - 12.205.151.255
>
> contact is [EMAIL PROTECTED] or +1-919-319-8130
thanx to all explanations also to my personal email ;) i'll try report
it tomorrow and i'm really
interrested in their answer. i hope this community will hold on ...
and at least i'll add that also i'm naively thinking about next course
of action of the "bad guys"
(if there will be any change), maybe to hide into SSL and propagate this
kind of attack/bots mostly
through it, so I checked our webservers ssl_access.log and there is a
lot more different samples
than i saw in snort reports ;(( (grep is based upon snort sid:2002 )
# grep -e ".*path=\(http\|https\|ftp\).*" ssl*log | awk '{print $7;}' |
sort | uniq | less
but this is really time consuming task ;( .. so only way i see to the
future is only to create
simple script IPS based on somenting liky this grep with addition of
iptables and tarpit or whatever ..
(with purpose to C&C commanders unlist out IP range from their lists)
and worse this is only one
way of attack
or anyone have some other solution or at least try ?
but maybe this could be another thread anyway ;]
bodik
_______________________________________________
botnets mailing list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
