On Tue, 8 Feb 2005, Justin Azoff wrote:
I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at
I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist lynx -dump http://www.infiltrated.net/nanog-list-botlist|grep -i $MYDOMAIN Further sorted http://www.infiltrated.net/nanog-botlist-comcast http://www.infiltrated.net/nanog-botlist-edu http://www.infiltrated.net/nanog-botlist-optonline http://www.infiltrated.net/nanog-botlist-vz http://www.infiltrated.net/nanog-botlist-cox http://www.infiltrated.net/nanog-botlist-mspring http://www.infiltrated.net/nanog-botlist-rr =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? Steve On Tue, 8 Feb 2005, J. Oquendo wrote:
On Tue, 8 Feb 2005, Justin Azoff wrote:
I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at
I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist
lynx -dump http://www.infiltrated.net/nanog-list-botlist|grep -i $MYDOMAIN
Further sorted http://www.infiltrated.net/nanog-botlist-comcast http://www.infiltrated.net/nanog-botlist-edu http://www.infiltrated.net/nanog-botlist-optonline http://www.infiltrated.net/nanog-botlist-vz http://www.infiltrated.net/nanog-botlist-cox http://www.infiltrated.net/nanog-botlist-mspring http://www.infiltrated.net/nanog-botlist-rr
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C
sil @ infiltrated . net http://www.infiltrated.net
"How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
Stephen J. Wilcox wrote:
Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness.
if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely?
I don't reply to posts just to agree in quite a few years now. In this case I feel very strongly about it, though. Me Too! I am sure these 3K users will appreciate getting re-pwned by 20 Bad Guys from nanog. Gadi.
Stephen J. Wilcox wrote:
Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness.
Collecting that kind of list on any machine on the public internet takes only a day or so, so I don't think posting a list, where some of the IP's change anyway should be considered a security threat.
if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely?
Pete
On Tue, 2005-02-08 at 20:13 -0500, J. Oquendo wrote:
On Tue, 8 Feb 2005, Justin Azoff wrote:
I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at
I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist
Here's a different version of the above, host'ed, awk'ed and sorted. NOTE: several of those hostnanes did not resolve, so this list is not an exact duplicate. http://jimpop.net/stuff/nanog-list-botlist-2005-02-08.sorted -Jim P.
On Tue, 2005-02-08 at 23:01 -0500, Jim Popovitch wrote:
Here's a different version of the above, host'ed, awk'ed and sorted. NOTE: several of those hostnanes did not resolve, so this list is not an exact duplicate.
http://jimpop.net/stuff/nanog-list-botlist-2005-02-08.sorted
If you grabed this in the past few minutes, you might want to re-grab it. I didn't realize that there were some IP addrs in the original file. I regenerated the list and there are now 3085 IPs in that list. -Jim P.
Wasn't there supposed to be special mail list setup for botnet tracking? If so can we please move this thread there and not continue it on main nanog list... -- William Leibzon Elan Networks william@elan.net
: Wasn't there supposed to be special mail list setup for botnet : tracking? : : If so can we please move this thread there and not continue it on main : nanog list... Why worry? It's a done deal... scott
You don't mass an army if you're not about to use it. This situation can (very quickly) have operational relevance. Bringing it to light to a wider forum than special interest groups is a good idea. You'd certainly care more if it was pointed at you. - billn On Tue, 8 Feb 2005, william(at)elan.net wrote:
Wasn't there supposed to be special mail list setup for botnet tracking?
If so can we please move this thread there and not continue it on main nanog list...
On Tue, 8 Feb 2005, Bill Nash wrote:
You don't mass an army if you're not about to use it.
3000 is no longer that large, maybe a brigade but not an "army"...
This situation can (very quickly) have operational relevance.
If every botnet investigation is brought up at nanog, the list itself will loose relevence.
Bringing it to light to a wider forum than special interest groups is a good idea.
Appropriate people already saw the list and will take care. There are also special tools available that will take list of ip addresses and notify appropriate networks, doing it manually and then letting all list know (epsecially nanog which has not only whitehats but number of blackhats) is in itself a security issue as has already been pointed out. --- William Leibzon Elan Networks william@elan.net
Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details! Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO. Ketil
On Fri, Feb 11, 2005 at 03:45:52PM +0000, Ketil Froyn wrote:
Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details!
Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO.
Ketil
PTR records are just as pointless as A records... in a secured DNS heirarchy, this is less of an issue since you have to spoof the entire delegation chain. so either trust the DNS (both forward and reverse) or not. For forensics, collect the DNS lables and the IP addresses associated w/ them. and yes, i have seen DNS spoofing in the wild, both A and PTR, although A spoofing is much more pronounced. --bill
PTR records are just as pointless as A records... in a secured DNS heirarchy, this is less of an issue
We are not quite there yet, are we?
since you have to spoof the entire delegation chain. so either trust the DNS (both forward and reverse) or not. For forensics, collect the DNS lables and the IP addresses associated w/ them.
and yes, i have seen DNS spoofing in the wild, both A and PTR, although A spoofing is much more pronounced.
Question is, why bother and spoof?
Not possible with most modern IRCD's since they check forward and reverse dns. So for example if your address is: 1.2.3.4 and that resolves to: 1-2-3-4.dsl.verizon.net the ircd make sure that: 1-2-3-4.dsl.verizon.net resolves back to 1.2.3.4 it's a simple and elegant solution that basically stops spoofing of this nature, on IRC anyway.... Adam On Feb 11, 2005, at 10:45 AM, Ketil Froyn wrote:
Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details!
Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO.
Ketil
!DSPAM:420cd46b173571891151301!
Adam Jacob Muller wrote:
Not possible with most modern IRCD's since they check forward and reverse dns. So for example if your address is: 1.2.3.4 and that resolves to: 1-2-3-4.dsl.verizon.net the ircd make sure that: 1-2-3-4.dsl.verizon.net resolves back to 1.2.3.4
it's a simple and elegant solution that basically stops spoofing of this nature, on IRC anyway....
Wrong. On your IRCd. Not on mine. Do I want to run my drone army on your IRCd?
Ketil Froyn wrote:
Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details!
Something like this is probably not very widespread (has anyone seen it in practice?), but I still think that for tracking purposes, ptr records are useless. IMHO.
You are right, people can change it to be whatever they like, potentially. What if they wanted to change the IP? Think about what you said, and you will see why you are wrong. Gadi.
On Mon, 2005-02-14 at 11:29 +0200, Gadi Evron wrote:
Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details!
You are right, people can change it to be whatever they like, potentially.
What if they wanted to change the IP?
Think about what you said, and you will see why you are wrong.
I wouldn't collect the contents of an A record, if that's what you mean. I meant that it would be better to collect the IP of whoever is connected to the irc server directly, eliminating the entire, possibly misleading, step of DNS lookups. Faking that IP is more difficult. Ketil
On Mon, 14 Feb 2005 12:50:17 +0000, Ketil Froyn <kfroyn@gnr.com> wrote:
On Mon, 2005-02-14 at 11:29 +0200, Gadi Evron wrote:
Isn't it a good idea to collect the IP addresses rather than the ptr name? For instance, if I were an evil person in control of the ptr record of my own IP, I could easily make the name something like 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never be sure you got the right details!
You are right, people can change it to be whatever they like, potentially.
What if they wanted to change the IP?
Think about what you said, and you will see why you are wrong.
I wouldn't collect the contents of an A record, if that's what you mean. I meant that it would be better to collect the IP of whoever is connected to the irc server directly, eliminating the entire, possibly misleading, step of DNS lookups. Faking that IP is more difficult.
Agreed. I always store the original IP. If the PTR record matches with the A record (aka "paranoid DNS") then I additionally store the hostname from the A record, and permit the connection to go through. But no matter what, always store the original IP. It's just four more bytes (sixteen for IPng), and TCP is more difficult to spoof than DNS. Kevin Kadow
I wouldn't collect the contents of an A record, if that's what you mean. I meant that it would be better to collect the IP of whoever is connected to the irc server directly, eliminating the entire, possibly misleading, step of DNS lookups. Faking that IP is more difficult.
Agreed.
I always store the original IP. If the PTR record matches with the A record (aka "paranoid DNS") then I additionally store the hostname from the A record, and permit the connection to go through.
But no matter what, always store the original IP. It's just four more bytes (sixteen for IPng), and TCP is more difficult to spoof than DNS.
In the case of the actual drones, I don't see why you'd need the PTR, although it helped me out before. In the case of C&C's.. PTR, A, etc. could be critical.
participants (13)
-
Adam Jacob Muller -
Bill Nash -
bmanning@vacation.karoshi.com -
Gadi Evron -
Gadi Evron -
J. Oquendo -
Jim Popovitch -
Ketil Froyn -
Kevin -
Petri Helenius -
Scott Weeks -
Stephen J. Wilcox -
william(at)elan.net