Hello, We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too? .
On Sun, Jan 22, 2012 at 07:16:39PM -0600, A. Pishdadi wrote:
Hello,
We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too?
.
Sure is. Check with your local FBI office. /bill
On Jan 22, 2012, at 8:19 PM, bmanning@vacation.karoshi.com wrote:
On Sun, Jan 22, 2012 at 07:16:39PM -0600, A. Pishdadi wrote:
Hello,
We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too?
.
Sure is. Check with your local FBI office.
Do you know how responsive and effective that is out here in rural america? usually nada even if you can even find someone who speaks tech. I gave my local a C&C complete with location in Phoenix and details on all the Italian bank intercepts that were stored there (open directory) and 2 weeks later it was still operating. Tom
FBI sure - but if you have AWS servers in the mix, contact Amazon security first. On Mon, Jan 23, 2012 at 6:46 AM, A. Pishdadi <apishdadi@gmail.com> wrote:
We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
The IP's are masked, you only see part of the IP/hostname, if there is someone from amazon here, feel free to contact me. The C&C is hosted at theplanet/softlayer On Sun, Jan 22, 2012 at 7:26 PM, Suresh Ramasubramanian <ops.lists@gmail.com
wrote:
FBI sure - but if you have AWS servers in the mix, contact Amazon security first.
On Mon, Jan 23, 2012 at 6:46 AM, A. Pishdadi <apishdadi@gmail.com> wrote:
We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or
dedicated,
attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
FBI
I bet the FBI is going to be _particularly_ focused on dealing with botnets in the coming months. :o) But yes, the FBI is the place to go after contacting whatever abuse departments you can. (It's good to have a little courtesy before bringing out the sledge hammer). -- Darius Jahandarie
We've been contacted by the Secret Service before regarding customer servers that have been doing shady stuff. apparently they do alot of the cybercrime work for the federal government. from what I've seen we've been contacted more by them then the FBI. I did email a contact from the SS from a issue early in 2011, hopefully he responds. On Sun, Jan 22, 2012 at 7:32 PM, Darius Jahandarie <djahandarie@gmail.com>wrote:
On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
FBI
I bet the FBI is going to be _particularly_ focused on dealing with botnets in the coming months. :o)
But yes, the FBI is the place to go after contacting whatever abuse departments you can. (It's good to have a little courtesy before bringing out the sledge hammer).
-- Darius Jahandarie
Perhaps: http://www.cybercrime.gov/reporting.htm James Laszko Mythos Technology Inc -----Original Message----- From: A. Pishdadi [mailto:apishdadi@gmail.com] Sent: Sunday, January 22, 2012 5:36 PM To: Darius Jahandarie Cc: NANOG Subject: Re: LAw Enforcement Contact We've been contacted by the Secret Service before regarding customer servers that have been doing shady stuff. apparently they do alot of the cybercrime work for the federal government. from what I've seen we've been contacted more by them then the FBI. I did email a contact from the SS from a issue early in 2011, hopefully he responds. On Sun, Jan 22, 2012 at 7:32 PM, Darius Jahandarie <djahandarie@gmail.com>wrote:
On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
FBI
I bet the FBI is going to be _particularly_ focused on dealing with botnets in the coming months. :o)
But yes, the FBI is the place to go after contacting whatever abuse departments you can. (It's good to have a little courtesy before bringing out the sledge hammer).
-- Darius Jahandarie
I attended a Cisco seminar on infrastructure security where the speaker was a former FBI agent. For reporting computer-related crimes, he recommended contacting your local Infragard office. http://www.infragard.net/ Of course I noticed that Infragard was hacked by LulzSec last June, so YMMV. -----Original Message----- From: James Laszko [mailto:jamesl@mythostech.com] Sent: Sunday, January 22, 2012 5:50 PM To: A. Pishdadi Cc: nanog (nanog@nanog.org) Subject: RE: LAw Enforcement Contact Perhaps: http://www.cybercrime.gov/reporting.htm James Laszko Mythos Technology Inc -----Original Message----- From: A. Pishdadi [mailto:apishdadi@gmail.com] Sent: Sunday, January 22, 2012 5:36 PM To: Darius Jahandarie Cc: NANOG Subject: Re: LAw Enforcement Contact We've been contacted by the Secret Service before regarding customer servers that have been doing shady stuff. apparently they do alot of the cybercrime work for the federal government. from what I've seen we've been contacted more by them then the FBI. I did email a contact from the SS from a issue early in 2011, hopefully he responds. On Sun, Jan 22, 2012 at 7:32 PM, Darius Jahandarie <djahandarie@gmail.com>wrote:
On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
FBI
I bet the FBI is going to be _particularly_ focused on dealing with botnets in the coming months. :o)
But yes, the FBI is the place to go after contacting whatever abuse departments you can. (It's good to have a little courtesy before bringing out the sledge hammer).
-- Darius Jahandarie
The appropriately named SS mainly deals with counterfeit currency, widespread ID theft (See also: Ryan1918) and threats to the President. There is nothing really you can do and this is why: 1. If you contact the domain name provider, a backup domain is likely being used, so if that is shutdown you loose you mole in your "whack a mole" game. 2. If you contact TP/Softlayer, see point #1 3. I've had law enforcement become more interested in questionable images, which were probable cause, hosted on a third party public image sharing service than actually handing over information of law enforcement value because you'll get that "we are looking into it" response. The probable cause example turned into a quick warrant and the suspect was arrested later that week. 4. I used to chase botnets. The emphasis is on "used to". It will burn you out dealing it so much. I would heed the advice of contacting cybercrime.gov and if you catch bits and pieces of a domain name, send an email to the abuse contact. EDU abuse contacts are wonderfully helpful if they are a decent sized school. If they are some art college near Boston, good luck. On Sun, Jan 22, 2012 at 8:36 PM, A. Pishdadi <apishdadi@gmail.com> wrote:
We've been contacted by the Secret Service before regarding customer servers that have been doing shady stuff. apparently they do alot of the cybercrime work for the federal government. from what I've seen we've been contacted more by them then the FBI. I did email a contact from the SS from a issue early in 2011, hopefully he responds.
-- --C "The dumber people think you are, the more surprised they're going to be when you kill them." - Sir William Clayton
On Jan 23, 2012, at 2:46 AM, Chris wrote:
The appropriately named SS mainly deals with counterfeit currency, widespread ID theft (See also: Ryan1918) and threats to the President.
Actually, they have statutory authority to deal with computer crime, too; see http://www.secretservice.gov/criminal.shtml and http://www.law.cornell.edu/uscode/18/1030.html --Steve Bellovin, https://www.cs.columbia.edu/~smb
Depends where they are located. I found Europol and the NHTCU somewhat helpful (but slow) to deal with some botnets controlled in Macedonia and Latvia. NHTCU were contacted because of the location of one of the attacked hosts. -- Sent from my smart phone. Please excuse my brevity On Jan 23, 2012 1:17 a.m., "A. Pishdadi" <apishdadi@gmail.com> wrote:
Hello,
We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too?
.
From memory Ameen Pishdadi is the owner of GIGENET, run by Paul Ashley (Aka XEROX), and comprised of the IP space and assets of FOONET. One would think that he has much contact with law enforcement. Or does my memory fail me? Andrew On 1/22/2012 8:16 PM, A. Pishdadi wrote:
Hello,
We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too?
.
Andrew , it does fail you. The 35+ employees that work for GigeNET would be really insulted by you insinuating that there job roles have no merit. The combination of all the things they do is what makes the company run. So no Paul does not run the company, put down the crack pipe. Why don't you find something else to troll beside a mailing list of industry professionals and a legitimate request for help. On Mon, Jan 23, 2012 at 3:21 PM, Andrew D Kirch <trelane@trelane.net> wrote:
From memory Ameen Pishdadi is the owner of GIGENET, run by Paul Ashley (Aka XEROX), and comprised of the IP space and assets of FOONET. One would think that he has much contact with law enforcement.
Or does my memory fail me?
Andrew
On 1/22/2012 8:16 PM, A. Pishdadi wrote:
Hello,
We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too?
.
participants (11)
-
A. Pishdadi
-
Andrew D Kirch
-
bmanning@vacation.karoshi.com
-
Chris
-
Darius Jahandarie
-
James Laszko
-
Ken Gilmour
-
Michael Fine
-
Steven Bellovin
-
Suresh Ramasubramanian
-
TR Shaw