Udostępnij za pośrednictwem


Don't you hate blogs which are updates with no technical content?

I know that I do - but I don't want you to think that I have dropped off the face of the planet.

 

The honest truth is that I have been stuck on a long term project which I can't really talk about. It is not "scary secret, Die Hard 4.0" stuff but it is not something that I can share with my readers. However, I was called in on an interesting case.

 A customer found that his FTP server was being repeatedly hit by requests from odd IP addresses - all of them attempts to log in. One request would be from Prague and the next would be from Turkey. It was clear from the pattern of names that this was some form of dictionary attack. Abigail would follow Abe who followed Aaron even though the attempts were from far apart - oh, and seperated by perhaps half a second. This is typical of a botnet though they rarely attack FTP servers since it is not a high profit activity compared to some other uses.

 

Tracing the IP addresses, they were generally from home systems. You might wonder how I could tell that. Well, in truth, there was more than an element of guesswork in it. I can say that they were normally registered with ISPs who cater for home users and they were on slower links. They generally had few if any exposed services. It is a pretty safe bet that they were home systems.

As for where the botnet was located, that is a harder question and I can only guess but most of the addresses were in the middle east or eastern europe and the names that it was trying were typical of Jewish names - A lot of Isaacs and Rachels and Abrahams in there. A bit of research showed that what I was seeing was a typical pattern for this botnet and that it was being used to harvest information when possible.

 

A more interesting question for the customer who had the server was what he could do about it. The answer, sadly, is not a lot. He could appeal to law enforcement who are probably already doing all that they can to find the botherder and whitelist addresses that he knows on the firewall.

 

The botnets are out there and they never sleep

 

More updates after next week when I am back in the office and doing my normal job again.

 

Signing off

 

Mark

Comments