North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: DNS Hijacking by Cox

  • From: Raymond L. Corbin
  • Date: Mon Jul 23 18:45:57 2007

> > On Mon, 23 Jul 2007, Joe Greco wrote:
> > > I can't help but notice you totally avoided responding to what I
> > > I would have to take this to mean that you know that it is
> > > unreasonable to expect users to set up their own recursers to work
> > > ISP recurser brokenness (which is essentially what this is).
> > 
> > Its more resonable to expect users to know how to remove bots and
> > their compromised computers?

> No amount of IRC redirection is going to remove bots and fix their
> compromised computers.
>... JG

I disagree. A lot of the compromised computers are still using the old
versions of like Phatbot, agobot, rxbot, all of which have the remove
commands. Placing the .remove in the subject line will effectively
remove the bots as they join the channels. The .remove will effectively
completely remove the bot from their computer, not everything else, but
alteast that bot instance is done. Its one way a lot of IRC networks get
rid of the botnets started on their networks, simply glineing them
causes them to keep trying to reconnect. Granted it won't stop the more
experienced script kiddies, but it will certainly stop the ones who use
the preconfigured scripts because they don't know what the soruce code
means. As many have said this is more about numbers. The number of
infected computers within their network used to DDoS and Spam compared
to the number of legitimate IRC users. Unfortunately the number of
zombies outweighs the good.

Raymond Corbin
Support Analyst