North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS Hijacking by Cox

  • From: Joe Greco
  • Date: Mon Jul 23 19:06:48 2007

> > > On Mon, 23 Jul 2007, Joe Greco wrote:
> > > > I can't help but notice you totally avoided responding to what I
> wrote;
> > > > I would have to take this to mean that you know that it is
> fundamentally
> > > > unreasonable to expect users to set up their own recursers to work
> around
> > > > ISP recurser brokenness (which is essentially what this is).
> > > 
> > > Its more resonable to expect users to know how to remove bots and
> fix 
> > > their compromised computers?
> 
> > No amount of IRC redirection is going to remove bots and fix their
> > compromised computers.
> >
> >... JG
> 
> I disagree. A lot of the compromised computers are still using the old
> versions of like Phatbot, agobot, rxbot, all of which have the remove
> commands. Placing the .remove in the subject line will effectively
> remove the bots as they join the channels. The .remove will effectively
> completely remove the bot from their computer, not everything else, but
> alteast that bot instance is done. Its one way a lot of IRC networks get
> rid of the botnets started on their networks, simply glineing them
> causes them to keep trying to reconnect. Granted it won't stop the more
> experienced script kiddies, but it will certainly stop the ones who use
> the preconfigured scripts because they don't know what the soruce code
> means. As many have said this is more about numbers. The number of
> infected computers within their network used to DDoS and Spam compared
> to the number of legitimate IRC users. Unfortunately the number of
> zombies outweighs the good.

Disagree all you want, but once a box is compromised, it is compromised.
You can never really know what's happened on the box, and removing the
obvious sign that the box is compromised is curing the symptom, not the
ill.  That's not actually a fix, though I fully expect that someone here
will argue otherwise.

If this is so effective, wouldn't it have been a better idea to work with
the folks at irc.vel.net to do this on their end?  Global benefit and 
all, AND it would not be stealing someone else's domain name in order to
do this.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.