Spam-Bot Intrusion Caught — Now What?

An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "

one word

[Jbcarpen]

Spamhaus.

Re:one word

[XenoPhage]

If somebody's ISP is blindly rejecting mails due to nothing more than a positive Spamhaus hit then that's the fault of the ISP! This is like discussing religion or OS preference...

What would you have ISPs do to stop spam? Spamassassin, properly tuned, does a decent job, but it doesn't solve the underlying problem. If an ISP allows *every* incoming connection and relies on spamassassin to detect and mark mail, then they have to ensure that there is sufficient storage for the spam. In most cases, the amount of spam incoming to a system is over ten times more than normal mail.

Using something like spamhaus helps out considerably because it does block a lot. Unfortunately, like every single other system out there, it has flaws. As with other approaches, the goal is to find a happy medium of sorts. The result is, however, that you can't please them all.

I've spent quite a bit of time on spam prevention for my own server and it's definitely not easy. I have about 5 tiers of spam detection at this point and, while it's catching about 99% of the spam, some still gets through. As a technically savvy user, I can deal with this and the level of detail required. For the normal ISP user, however, it's a different story. They don't have the technical know-how to tune their mail filters, nor do they generally have any interest in doing so.

So, until someone comes up with the perfect filtering system (which the spammers will likely adjust to within a few days), there's not much else to do. Personally, I don't have the time or money to deal with every single incoming spam and blocking some based on a well-known RBL is fine for me.

You could always try private sector...

[BinarySkies]

There is an organization, ShadowServer (www.shadowserver.org if I recall right) that specializes in mucking about with Botnets. They'd probably have the right contacts and such to deal with that.

Was in similar situation

[mattr]

I had my own server broken into for the first time, wasn't a botnet but a bank of america style phishing site. I discovered it when trying to make a subdomain with the control panel didn't work right.. the provider said they cleaned some out but couldn't be sure and then in fact I found the servers myself, in /root and /tmp disguised as other files. I mailed yahoo and google since both had email addresses being used, and told the isp. Guess what? I got no response from google, and none from the isp (they totally suck too, I've been down for a month after being told to erase the disk and they upgraded me - to Fedora Core 2! - and are so incompetent it is not even usable anymore. So I'm changing to a better managed hosting company rsn.)
I did get a thank you from Yahoo. But, the first one was clueless, ignoring the content of my letter. I got a second one from them saying thanks. But that they couldn't accept attachments. So couldn't send them the proof.

At any rate, what I did is erase the disk, restore from backup and some checked files, and lose a lot of time. There is probably little more you can do than simply report to one of the links below that you have a botnet address then as quickly as possible erase it.

I also found a number of commands changed in /bin however I couldn't tell if it was the crackers or the isp who did that. It was running out of date software, and though they failed lots of ftp login probes it looks like they got in through an out of use user's login somehow and promoted to root.

Moral of the story? If you use a managed hosting service, keep a FULL backup locally. Run tripwire or something similar, I will from now on. Use a hosting service that is not completely clueless. Do not try an upgrade or anything afterwards. Have a portable hard disk you can use - my ipod was very useful. The most annoying thing was having to spend lots of time on the phone with admins, and having my email and website hanging in the air. The answer is to immediately cut all your losses, get another system maybe on another provider. Possibly you could even do this with a local machine and dyndns temporarily but if you're busy the last thing you have time to do is mess with crooks. Best thing that came from it is I discovered several other hosting companies from friendly clients who helped me get my jobs done.

Re:Was in similar situation

[bleh-of-the-huns]

Yahoo and google etc are not clueless, just over worked. I have worked security for large ISPs, UUNET (prior to MCI getting involved), AOL Time Warner, and a couple of others. They get far too many complaints to be able to respond to each, so you are lucky if you get an autoresponce, but don't expect them to contact you, there is just no time for it. The attachment problem is due to the fact that in many cases, complaints are placed into a tracking system, so instead of an attachment, you end up with uuencoded text, its a pain to have to reassemble that manually for every complaint, and if you hit up the security pages of those websites, they clearly state not to use attachments.

Unless the botnet has caused more then $5k in proven damages, with tangible evidence, law enforcement will not get involved, this is at the federal level, not sure about state and local, as they rarely deal with cyber crimes of this type, they prefer to deal with cyber stalking and threats to individuals in their localities. If you must report a botnet, report it to USCERT (run by DHS), they may not be able to get to the root if its in one of those countries listed, but they can research it, and they are capable, and if something can be done, it will be done in the background.

SANS

[gunnk]

The good folks at SANS do their best to act as early warning and protection for the net. They'd likely be interested in helping break this up AND they have the appropriate contacts in government and law enforcement to do so.

You can contact them here: http://isc.sans.org/contact.html and see if they are interested or can direct you to the appropriate person or agency contact.

Re:contact the ISP/registrar

[mandelbr0t]

Usually you won't get anything from the ISP. I start with ARIN and move to RIPE, APIC as the search suggests. I run into one of two scenarios:

1) There is a properly listed contact for abuse reports to whom I send the complete relevant log entries in text format. I usually don't hear from them again, but I also don't see any further network abuse from that netblock owner.

2) The owner of the IP block is a complete and utter joke. Examples: they don't correctly configure their reverse DNS, so they will claim that you have the wrong IP address, they list an abuse contact that doesn't speak English, they send spam in reply to your abuse complaint (that actually made me laugh for a moment). In this case, you also won't hear anything, but you should probably go to the effort of banning such an irresponsible network at your firewall.

Generally you won't hear anything. You won't know if someone has seen or acted on your complaint. Just think of how many network abuse complaints a large, responsible network would have to deal with daily. There's also dozens of fly-by-nights that make it clear that they won't make their network behave no matter how much you complain.

Surprisingly, I've found that larger netblock owners are quite responsible. A threat to block their entire netblock at your firewall is an effective one, easy to carry out and perfectly justified. Just be sure to remove the block if they show that they have fixed your complaint.