Re: IRC DDoS bots
From: Johannes Ullrich (jullrich@euclidian.com)
Date: 03/14/03
- Previous message: Christine Kronberg: "RE: CodeRed Observations."
- In reply to: grwolf: "IRC DDoS bots"
- Next in thread: James C Slora Jr: "RE: IRC DDoS bots"
- Reply: James C Slora Jr: "RE: IRC DDoS bots"
- Reply: Jon Nelson: "Re: IRC DDoS bots"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Mar 2003 12:56:18 -0500 From: "Johannes Ullrich" <jullrich@euclidian.com> To: "grwolf" <grwolf@adelphia.net>
O
> It's another mIRC based DDoS trojan that scans for NT-Password and IIS
> unicode exploits.
> So the next questions is... How do we go about apprehending the culprits?
> Can we somehow get wxmail.net revoked?
IRC bots are a common plague. We do play 'whack the bot' once in a while
if we find out about it. So far, I have yet to see a case successfully
prosecuted.
The best bet is to call however hosts the IRC server and have them yank
the server. Be ready to find some resistance and confusion as you talk
to your first 'tech support' person about IRC bots. Try to get through
to a security contact.
It looks like the particular server you where monitoring is no longer
responding. So maybe they took already care of it.
Regarding prosecuting: Talk to your local FBI office and see if you can
get them interested. However, usually they don't bother unless you have
significant damages (the 'official' threshold of $5,000 is usually no
enough).
If whoever is hosting this server is not cooperating, you may want to
try going for a civil suit. Its probably more promising but you need
the stomach/money for it.
If you need any further help, contact me off-list.
-- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: Christine Kronberg: "RE: CodeRed Observations."
- In reply to: grwolf: "IRC DDoS bots"
- Next in thread: James C Slora Jr: "RE: IRC DDoS bots"
- Reply: James C Slora Jr: "RE: IRC DDoS bots"
- Reply: Jon Nelson: "Re: IRC DDoS bots"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
