[botnets] SQL Injection bot?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hey all, (hopefully many are still around) re-sending this as it was bounced before... Additional comments after original message: // BEGIN From [EMAIL PROTECTED] Sat Aug 9 14:24:35 2008 Date: Sat, 9 Aug 2008 14:24:35 -0500 From: J. Oquendo [EMAIL PROTECTED] To: botnets@whitestar.linuxbox.org Subject: New SQL Bot? Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Starting yesterday I began seeing a few attempts at an XSS attack. Posting perhaps someone else knows something about it, or has been seeing it. Wouldn't be that much of a deal but I also see the same entries on a webserver on a completely different netblock... Apache entry is at: hxxp://SameDomainAsTheSendingEmail.com/NEWBOT // END FYI, I've been seeing daily about 200 attempts coming from all sorts of hosts so my suspicion is some form of 0-day was found and someone automated it. Haven't seen anything on the usual lists, so it could just be a new (unicode) spin, on an older attack. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny. Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Botnets using super hi tech encryption
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Alright, its Monday, thought some may need a laugh: mta242.xxx.net [10/Dec/2007:07:13:11 -0600] GET /(Yvax:%20uggc:/jjj.tbbtyr-nanylgvpf.pbz/hepuva.wf)uggc:/jjj.tbbtyr-nanylgvpf.pbz/hepuva.wf HTTP/1.1 - Is rot13 bleeding edge. By the way this message has been encrypted with rot13 twice. Contact me for the key. -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent. Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] LEO on list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Any LEO within NY/NJ/CT please shoot me an email offlist or someone onlist with a trustworthy contact please get in touch. TIA J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent. Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --bodik wrote: yes, i was a ssh bruteforce. user installed oracle client recently, and forget to change a password ;(( it was oracle:oracle After all this time I don't know how come stupid administrators are given access to administrate machines. How hard can it be to block in all (iptables, ipfw, ipf, etc) to ssh minus the ones that need access. It boggles me. How hard was it to find and install something easily found on the Internet (ossec) to mitigate against this? About 1 minute ./install Some of these compromised businesses need to start giving idiot admins the boot. Sorry if its off-topic, harsh, etc., but man experience, training, common sense sure go a long way. J. Oquendo SGFA (FW+VPN v4.1) SGFE (FW+VPN v4.1) I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent. Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] blog spammer
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --bodik wrote: 64.59.139.153 That's quite interesting. If this indeed is say an infected Google server, I wonder if someone has found a way to infect users via say Google's adsense. That would be scary. [Querying whois.arin.net] [whois.arin.net] OrgName:Google Inc. OrgID: GOGL Address:1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country:US NetRange: 66.249.64.0 - 66.249.95.255 CIDR: 66.249.64.0/19 [EMAIL PROTECTED] trackback]# HEAD 64.59.139.153 400 Bad Request Cache-Control: no-cache Connection: close Pragma: no-cache Content-Length: 691 Content-Type: text/html; charset=utf-8 Client-Date: Wed, 03 Oct 2007 12:17:23 GMT Client-Peer: 64.59.139.153:80 Client-Response-Num: 1 Proxy-Connection: close [EMAIL PROTECTED] trackback]# GET 64.59.139.153 HTMLHEAD TITLERequest Error/TITLE /HEAD BODY FONT face=Helvetica bigstrong/strong/bigBR /FONT blockquote TABLE border=0 cellPadding=1 width=80% TRTD FONT face=Helvetica bigRequest Error (invalid_request)/big BR BR /FONT /TD/TR TRTD FONT face=Helvetica Your request could not be processed. Request could not be handled /FONT /TD/TR TRTD FONT face=Helvetica This could be caused by a misconfiguration, or possibly a malformed request. /FONT /TD/TR TRTD FONT face=Helvetica SIZE=2 BR For assistance, contact your network support team. /FONT /TD/TR /TABLE /blockquote /FONT /BODY/HTML -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] corrected Google information
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --bodik wrote: 66.249.65.77 Doh sorry un-caffeinated this morning, knew I resolved it from the list: [EMAIL PROTECTED] trackback]# whois -h whois.arin.net 66.249.65.77 [Querying whois.arin.net] [whois.arin.net] OrgName:Google Inc. OrgID: GOGL Address:1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country:US NetRange: 66.249.64.0 - 66.249.95.255 CIDR: 66.249.64.0/19 NetName:GOOGLE NetHandle: NET-66-249-64-0-1 Parent: NET-66-0-0-0-0 NetType:Direct Allocation NameServer: NS1.GOOGLE.COM NameServer: NS2.GOOGLE.COM NameServer: NS3.GOOGLE.COM NameServer: NS4.GOOGLE.COM Comment: RegDate:2004-03-05 Updated:2007-04-10 OrgTechHandle: ZG39-ARIN OrgTechName: Google Inc. OrgTechPhone: +1-650-318-0200 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2007-10-02 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Botmasters Take Heed – You Are Being Put On Notice
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Parity wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- My outbound proxy server reports that www.castlecops.com http://www.castlecops.com is timing out. Go figure. It occurs to me that if I really had it in for someone, I could probably just impersonate them and go shit-talking some bot-herders. Kinda like a smurf attack that provokes noise from irritable kids instead of misconfigured routers. pty Its called Joe Job(bing) -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --http://www.infiltrated.net/?p=29 Biased... In all honesty I don't believe so -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --John Fraizer wrote: OK. If a service provider (ISP/MSP/*SP) is buying bandwidth based on data transferred vs raw line rate of the transport medium, there are two words to describe that provider: Mom Pop. It is just that simple. Regardless of mom and pop how about calling them a customer regardless if they're paying you 1,000.00 or 1,000,000.00 The overwhelming majority of malware we're seeing is not sourcing from RFC1918 space and much of it is intelligent enough not to scan into RFC1918 space and while I agree that RFC1918 should not ever make it past the CPE, let alone the customer aggregation router, access-lists are not where it's at. Filtering was used as an example and I didn't want to add bogon's because of the arguments behind them. I could have added RBL's SORBS, etc., and filtering and acronyms until my face turned blue. It was posted as a briefer... There is something that can be done. The use of uRPF in strict mode on customer facing interfaces would be a nice start though. Strange that the author has so much supposed experience but they leave the most easily implemented filtering option out of their critique. See above As for using ip audit and ip cef, they have their place but, any respectable provider is going to be collecting netflow exports from their routers and doing automated analytics on that flow information using any one of several publicly available netflow collectors - perhaps even augmented by a commercial solution such as the Arbor PeakFlow SP. You're right I should have posted about Peakflow, I've spoken I've dealt with Sunil James in hopes I could create an open source protection script based off of Arbor's data for the sake of (drum roll...) protecting networks that might not be able to afford Peakflow... Guess what... We're sorry...: So instead of just talking crap I took the time to do what I thought was productive... The ATLAS Initiative wrote: Jesus, Are you looking to do this for your own managed devices, or for devices you manage for customers? Sunil Sunil James | [EMAIL PROTECTED] Product Manager Arbor Networks Inc. | http://www.arbor.net 734.821.1460 work | 734.327.9048 fax PGP KeyID: 0xA18E302F On Jun 8, 2007, at 1:27 PM, J. Oquendo wrote: The ATLAS Initiative wrote: Dear Jesus, Thank you for expressing interest in ATLAS. Today, only select ATLAS partners and customers can access the private portal. Tomorrow, however, Arbor will be making available a web services-based ATLAS subscription service that can be pulled directly into pre-existing security offerings. If you'd like to be kept apprised of this future Arbor product offering, or If your interest is of another nature, please reply with a brief description of what you're looking to accomplish, and a good time next week when we can chat further. Best regards, Sunil James Product Manager The ATLAS Initiative | [EMAIL PROTECTED] Arbor Networks Inc. | http://www.arbor.net 734.327. work | 734.327.9048 fax PGP KeyID: 0x99A512EB I was looking to utilize some of the host based information Atlas gathers in order to automatically block these hosts via firewalls and IDS/IPS equipment. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato I'm looking to do this so I can return an open source tool for anyone looking for something similar. // End snip As for access-list oneliners, if you want to see a router melt down, go ahead and apply an ACL to block that 2 million packets per second, 2Gb/s DDoS heading towards your customer. Let us know how that works out for ya, OK? You missed the point where I rambled on about having NSP's contact their downstreams and work with them to mitigate things to a point so where it never gets there. If all the big players did that, ATT, Verizon, BT, etc., do you think there would be a such thing as a botnet. As for the rest of your counterpoints, well taken however I go back to mine: It's easy to be a little stub ISP or better yet, an end-user and start pointing the finger screaming and yelling about what others have been doing. Come back and talk to me when your smallest network drain is OC48 and you're connecting pops with multiple OC192 links. There is a lot going on in the shadows to combat botnets and other miscreant activities that most folks don't have credentials to know about. ~John engineers will get their acts together as opposed to spending the time “engineering” an email to a mailing list to dispel what’s posted here. sil
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --John Fraizer wrote: Carrier grade routers are designed to route (or switch in the case of MPLS) packets at line-rate. When you start applying ACLs, the performance hit is not trivial - especially when you've got interfaces doing 1-Mpps+ under *normal* load. Alright, so let me start again... I stated if NAP's and NSP's contacted their customers lowly DS3 guys like me and stated Look here is what you need to do to avoid having your network send out garbage..., imagine for a second if a fraction of NAP's started implementing these policies how much garbage traffic would be curtailed. Go look and see how much a TMS costs. Now, consider a medium sided provider with a backbone that covers about 25 states. How many TMS devices does that provider need to deploy? How much extra capacity does that provider need to deploy on their network to be able to divert traffic to the closest TMS? And how much would it cost for the following: Dear Valued Customer, Beginning December 2007, we will be asking out customers to help make our networks more efficient. We ask that you view a set of pre-defined guidelines created by industry experts and implement them on your routers and switches. Should you need a assistance please contact us. Sincerely, Your Provider Working to make the Internet Safer. I wasn't the one who went out and started talking smack on IRC and invited Joe Botherder to take his best shot at me. It was my misguided customer. Its that customer I know I wouldn't want on my network. Even if they did pay X over bandwidth I just wouldn't want them. This notion that it is the responsibility of the providers to protect their customers is analogous to the two of us walking into a bar and you thinking that just because I'm a Marine that you can go pick the biggest, baddest mofo in the bar and pick a fight with him and it will be my job to fight him *for you*... Is it, I look at this analogy, you go to a car dealer say Nissan, purchase your car. Brake problems? I take it back to the dealer. Oh my, did email or call me to say an attacker has the potential to affect the GPS and re-route my destination even stop me from getting there. Wow, and you even sent me instructions on how to avoid it. Know what, I'd appreciate that car dealer. I'd even go tell another Nissan owner, hey did you hear the news... It exists. It's been around for quite some time. uRPF + RFC1998 And a newer concept: http://tools.ietf.org/id/draft-marques-idr-flow-spec-04.txt I meant to make mention of a lot of things. When I rambled on it was rambling on. It was to make a point, I'm sure there are tons of things a lowly provider can do maybe they're misguided as you say I am, maybe some just don't know about these things. How about guidance from the big boys. How about a template from the industry's experts. How about guidance from the big boys before its too late: http://www.darkreading.com/document.asp?doc_id=130745 I sincerely enjoy word for word the learning experience here so please don't misunderstand my communication at any given time and should you tell me to STFU I'd respect that too, but I'm trying to understand why it can't be done and sadly I'm still seeing nothing more then an excuse. Not from you per-se but overall there is STILL no reason why networks can't be cleaner. The bad guys aren't just 15-y/o zit-faced punks trying to impress their friends anymore. It is organized crime, terrorists, rogue nations, etc. These people don't have any more of a problem putting a bullet in your head than they do sending a ping-flood your way. For that reason, among others, the intelligence gathering and mitigation activities are conducted under the cloak of secrecy. It's all about operational security. Understandable as well and appreciated on the schooling I'm getting. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Tor CC? (Was: Re: Alternative Botnet CCs - free chapter from Botnets:The Killer Web App)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Marco Gruss wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- While we're on the subject of alternative CCs, a thought just crossed my mind: Suppose a bot herder started packaging Tor with his malware in order to host the CC on a .onion web site/irc server. Any idea what could be done to mitigate those?! As long as the secret key to the onion ID isn't lost, any tor node could be turned into the CC without the danger of losing its name like a DNS name. Marco ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets Regardless if something is running on Tor you could filter that part on a port level with your routers, firewalls, etc. A scarier/deadlier combo would be covert channeling (TCP via ICMP) with some type of false DNS server information running. (http://www.phrack.org/issues.html?issue=51id=6#article) E.g.: InfectedHost -- (TCP||UDP(tunneled in ICMP)) -- ControllingServer Where the InfectedHost and ControllingServer had mechanisms to keep ICMP packets under the radar. E.g.2 ControllingServer receives say 1000 ICMP messages, recompiles the TCP||UDP info buffers it and dishes it out on a go as needed basis. Would be difficult to contain and discern from legitimate traffic if done correctly. While I don't really tinker with understanding botnets, I'd like to think/pretend ;) I know enough about networking. I can think of a lot worse mechanisms to go undetected, but I'd rather not. Gadi, others who I've had the pleasure to correspond to via lists and emails can freely email me on a multicast threat theory lurking in the shadows... Certain things I choose not to bring to public light anymore lest I become a bigger pariah. DNS server spoofing though, is a lot easier to mitigate against and contain from a netops perspective... Wait a minute... I have a /22 and I know damn well I only have 4 DNS servers... Therefore everyone else gets blocked. smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Increased SSH activity
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Normally, I wouldn't bother with this since SSH brute force attempts are so yesterday however, found this a bit odd. I manage somewhere in the vicinity of about 50-60 VoIP servers, 20-30 http/mail/etc servers and have created a sort of Distributed IDS against brute force attempts. All machines report to one syslog server, and that syslog server generates unique addresses that have attacked that machine and stores it in a file. That file is then uploaded to every single machine I manage under the guise that - if someone attacked one machine, I don't want that connection touching any. Anyhow, I noticed one particular machine being attacked by seven addresses in the vicinity of about an hour. One machine! It does nothing but register SIP accounts. Nothing more nothing less. The machine was hardened so I'm not worried about someone getting into it, what I'm curious about is, whether or not anyone has noticed an increase of ssh brute force attempts this weekend? 217.173.42.144 (42-144.vivanet.hu) 203.64.237.10 (elearning.fec.edu.tw) 87.248.185.156 (87-248-185-156.starnet.md) 200.5.116.58 (servidor.energiasanjuan.com.ar) 65.111.170.42 (42-170-111-65.serverpronto.com) 220.130.193.125 (220-130-193-125.HINET-IP.hinet.net) 200.31.6.148 (sc-core2.impsat.net.ec) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mocbot spam analysis
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- virendra rode // wrote: - --- Just curious, are you addressing this via IPs port(s) ? If so, what happens if these IPs are doing port hopping? Are you doing any sort of L7 monitoring? What happens if it is a virtual IP? How you guys doing any bogon filtering? regards, /virendra Me personally, I have zero tolerance for bs. The scenario I described would be for my own network and probably should not be used in a WAN scenario. Again I did mention I no longer work at the ISP level nor do I work in academia land any longer, so my notions don't apply to those types of industries. However I will give you a better scenario if you do work in those industries... Firstly, I again no noone on the planet who should come knocking on those port doors so my reaction is to block them out. They're infected machines so I see no reason to allow them anywhere on your network, traversing your network, heck even wasting a ping on your network. What you could do is flush your rules every twenty four hours or so, rinse and repeat. I fail to see your logic in wondering what happens if they can't connect. Maybe I'm misconstruing your response, but if it is a well what happens if they can't connect, good for them. They should take their infested traffic elsewhere. To be fair, a script to flush your rules would be nice sure. Me? On my personal network, I don't care if they re-connect or blow up. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil infiltrated . net http://www.infiltrated.net How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets