Full Version: Warning on Botnet activity
Please help me. I've received a warning email telling me that my server is involved in Botnet activity. I don't know what is it and I don't know what to do. Please help me to avoid server suspension. I am innocent and my server must be hacked!
You will probably want to hire a skilled technician to help evaluate your options. There should be some around here that can help, or I believe you can also hire TP technicians directly.
Just What Is a Botnet?
If you have kept your ear to the ground on DALnet, and know something about the attacks that have gone on, you may have heard of the word 'botnet'. If you have kept your eyes peeled, you may even have seen an IRCop or two racing around auto-killing entire channels for being 'bots'. So, just what is all this 'botnet' malarky?
Well, let's begin at the beginning (in the words of a singing nun "it's a very good place to start"). Firstly, the bots we are talking about when we refer to botnets are not the cuddly and nice variety who some of you use in your channels to manage access lists, run quizzes, serve files or come up with corny lines. They do have something in common with those bots you know and love though, as they are automated and controlled by events (usually commands given in a channel).
The major difference between a bot in a botnet, and your common eggdrop or IRC client script bot in a channel, is that the botnet variety have been created with a trojan and, almost always, without the knowledge of the person whose computer they are running from.
The trojan may have got on to the person's computer by being wrapped up in a file that looks innocent - usually a game crack, something sex related, or it can simply be named to make you think it's an anti-virus program! It may have got there because there was some hidden code on a website that person visited, which downloaded it to their machine.
So, however it got there - the trojan is now on the person's computer and, unless they run a good anti-virus program, they won't know it's there. What happens next then? Well, the next time that computer is connected to the Internet, that trojan will start up an IRC client and connect to a server. Sometimes it is a server on DALnet, but more often these days it is an IRC server which has been set up on a shell account and paid for with a stolen credit card. The trojan will also have been coded to make the bot join a certain channel once it has connected.
If the trojan has infected many computers, then many bots will join the channel. I, and other members of the Exploits Team, have seen such channels with 4-5,000 bots there - each one of those bots is a home computer infected with a trojan. Scarey heh? A collection of these bots in a channel is a botnet, and even a couple of hundred of them can cause significant damage when used to attack servers.
Ok - so somebody has used a trojan script, modified it to his choice of server and channel names and, when he next goes online, there is a big bunch of bots waiting for him. So what happens next? Well generally these bots have a few uses. The person who has made them (botmaster or botherder are names often used to described that person), can generally use channel commands to make the bots go out and spam your channels with a website that has the trojan on it...to make even more bots. Often he will also be able to launch raw text or CTCP attacks against channels he doesn't like, or get the bots to /msg or send a memoserv to him telling him the nickname passwords of anyone who is infected and uses IRC networks with services. It gets a lot worse than that though, because the nastiest thing most of these bots can do is to launch Denial of Service attacks against servers - hundreds or thousands of bots all sending data to a server until its connection becomes saturated and/or the server crashes. Because the bots are making many home computers attack, from all over the world, we call this a Distributed Denial of Service attack (DDoS).
Who exactly gets a kick out of having a botnet? Well, certainly not you the DALnet chatter - all you get out of it is lots and lots of spam in your channel, and huge attacks if the botnet owner happens to feel like it. You also get to have lagged services and lots of netsplits when the bots are used to attack DALnet servers. DALnet doesn't benefit either, because when the bots are used to attack - the IRC servers going down are the least of anyone's worries. The attacks also effect the service providers who host those servers, meaning that people who have never heard of IRC suddenly can't get on the Internet. If it goes on for a long time, those service providers lose money and may have to lay people off work - so may any small businesses who were relying on those ISPs for email, websites etc. In short, that one botnet may cause real and tangible hardship in the lives of people who don't even know or care about IRC. So who is getting a kick out of it? Only the person who made that trojan, and his little bunch of friends who think it' s a cool thing to do.
All is not lost though, because you can help stop the problem, not just by ensuring you don't get a trojan yourself, but by keeping alert for botnets and reporting them to IRCops when you do find one. Firstly you'll need to recognise a bot from an infected computer when you meet one.
Unfortunately, there is no set way to recognise a bot. Some will have some part of their nickname or ident all in common (eg XY-lucy, XY-jane, XY-laura), and some will have a real name field all in common. Others are recognisable because everything is random (eg nickname = zjral, host = xcdv@isp.com, real name = rxfk). Yet others use real looking nicknames, but are noticeable because there's an entire channel of them and nobody is chatting! Usually bots are silent until given commands in a channel, but some may 'report for duty' with a word, or phrase or even a dot (period). Lockdown Corp has a very good gallery of screenshots of a botnet owner in action.
When you do find them, what do you do? What you should never do is visit any websites they may be spamming - that's a short cut to getting infected yourself! What you should do is report anything you think may be a botnet to an IRCop who can remove them from the network (if on DALnet), or get the server shut down if it is somewhere else.
If you have kept your ear to the ground on DALnet, and know something about the attacks that have gone on, you may have heard of the word 'botnet'. If you have kept your eyes peeled, you may even have seen an IRCop or two racing around auto-killing entire channels for being 'bots'. So, just what is all this 'botnet' malarky?
Well, let's begin at the beginning (in the words of a singing nun "it's a very good place to start"). Firstly, the bots we are talking about when we refer to botnets are not the cuddly and nice variety who some of you use in your channels to manage access lists, run quizzes, serve files or come up with corny lines. They do have something in common with those bots you know and love though, as they are automated and controlled by events (usually commands given in a channel).
The major difference between a bot in a botnet, and your common eggdrop or IRC client script bot in a channel, is that the botnet variety have been created with a trojan and, almost always, without the knowledge of the person whose computer they are running from.
The trojan may have got on to the person's computer by being wrapped up in a file that looks innocent - usually a game crack, something sex related, or it can simply be named to make you think it's an anti-virus program! It may have got there because there was some hidden code on a website that person visited, which downloaded it to their machine.
So, however it got there - the trojan is now on the person's computer and, unless they run a good anti-virus program, they won't know it's there. What happens next then? Well, the next time that computer is connected to the Internet, that trojan will start up an IRC client and connect to a server. Sometimes it is a server on DALnet, but more often these days it is an IRC server which has been set up on a shell account and paid for with a stolen credit card. The trojan will also have been coded to make the bot join a certain channel once it has connected.
If the trojan has infected many computers, then many bots will join the channel. I, and other members of the Exploits Team, have seen such channels with 4-5,000 bots there - each one of those bots is a home computer infected with a trojan. Scarey heh? A collection of these bots in a channel is a botnet, and even a couple of hundred of them can cause significant damage when used to attack servers.
Ok - so somebody has used a trojan script, modified it to his choice of server and channel names and, when he next goes online, there is a big bunch of bots waiting for him. So what happens next? Well generally these bots have a few uses. The person who has made them (botmaster or botherder are names often used to described that person), can generally use channel commands to make the bots go out and spam your channels with a website that has the trojan on it...to make even more bots. Often he will also be able to launch raw text or CTCP attacks against channels he doesn't like, or get the bots to /msg or send a memoserv to him telling him the nickname passwords of anyone who is infected and uses IRC networks with services. It gets a lot worse than that though, because the nastiest thing most of these bots can do is to launch Denial of Service attacks against servers - hundreds or thousands of bots all sending data to a server until its connection becomes saturated and/or the server crashes. Because the bots are making many home computers attack, from all over the world, we call this a Distributed Denial of Service attack (DDoS).
Who exactly gets a kick out of having a botnet? Well, certainly not you the DALnet chatter - all you get out of it is lots and lots of spam in your channel, and huge attacks if the botnet owner happens to feel like it. You also get to have lagged services and lots of netsplits when the bots are used to attack DALnet servers. DALnet doesn't benefit either, because when the bots are used to attack - the IRC servers going down are the least of anyone's worries. The attacks also effect the service providers who host those servers, meaning that people who have never heard of IRC suddenly can't get on the Internet. If it goes on for a long time, those service providers lose money and may have to lay people off work - so may any small businesses who were relying on those ISPs for email, websites etc. In short, that one botnet may cause real and tangible hardship in the lives of people who don't even know or care about IRC. So who is getting a kick out of it? Only the person who made that trojan, and his little bunch of friends who think it' s a cool thing to do.
All is not lost though, because you can help stop the problem, not just by ensuring you don't get a trojan yourself, but by keeping alert for botnets and reporting them to IRCops when you do find one. Firstly you'll need to recognise a bot from an infected computer when you meet one.
Unfortunately, there is no set way to recognise a bot. Some will have some part of their nickname or ident all in common (eg XY-lucy, XY-jane, XY-laura), and some will have a real name field all in common. Others are recognisable because everything is random (eg nickname = zjral, host = xcdv@isp.com, real name = rxfk). Yet others use real looking nicknames, but are noticeable because there's an entire channel of them and nobody is chatting! Usually bots are silent until given commands in a channel, but some may 'report for duty' with a word, or phrase or even a dot (period). Lockdown Corp has a very good gallery of screenshots of a botnet owner in action.
When you do find them, what do you do? What you should never do is visit any websites they may be spamming - that's a short cut to getting infected yourself! What you should do is report anything you think may be a botnet to an IRCop who can remove them from the network (if on DALnet), or get the server shut down if it is somewhere else.
Please remember to cite your sources, Encyclopedia Brown
QUOTE (Matt2k)
Please remember to cite your sources, Encyclopedia Brown
lol Dalnet
Thank you for reply. It seems to be a very complicated thing. What shall I do now? Can I setup firewall, disable services to avoid it?
Scan the system and find out where the file is and delete it. it usally goes in your system32 folder.
QUOTE (Defiance)
Scan the system and find out where the file is and delete it. it usally goes in your system32 folder.
But, I am talking about Linux box. Any one can provide further information?
QUOTE (leunga)
Please help me. I've received a warning email telling me that my server is involved in Botnet activity. I don't know what is it and I don't know what to do. Please help me to avoid server suspension. I am innocent and my server must be hacked!
Give us a call as soon as you can. You need to work with our security group to secure your server. Quick action on your part will prevent any action from us towards your server.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.