WeHostBotnets.com



  • Had a dropper attempting to slip a bot onto one of my webservers[1] and in the cause of an investigation found that the C&C it was connecting to was still up and running.

    The IP has no rDNS but one WHOIS later identified the originating range - so I fired off a quick email to their abuse dept alerting them of a possibly-compromised server:

    @Cassidy said:

    Found in an attempted exploit:

        "server"=>"123.456.78.90", "port"=>"54321"

    Testing:

        $ telnet 123.456.78.90 54321
        Trying 123.456.78.90...
        Connected to 123.456.78.90 (123.456.78.90).
        Escape character is '^]'.
        NOTICE AUTH :*** Looking up your hostname
        NOTICE AUTH :*** Found your hostname, cached
        NOTICE AUTH :*** Checking Ident
       (subsequent lines revealing an active IRC network running.)


    Then I received this reply:

    @WeHostBotnets.com said:

    Hi,

    I think you should find the particular IP's from :-

    netstat -an | grep :80 | sort
    This will show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

    netstat -n -p|grep SYN_REC | wc -l
    Run this command to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high.

    Find out those IP's which you find making high concurrent connections, try to stop them in your /etc/hosts.deny or in your firewall.
    --
    Get in touch: Twitter @wehostbotnets

    If you have any concerns or comments please feel free to ask for your ticket to be esculated to management.

    Ticket Details
    ===================
    Ticket ID: ABC-123456
    Department: Abuse
    Priority: Low
    Status: Open


    Now if you were a helldesk droid on the end of abuse@wehostbotnets.com, you have one of the following choices of action:

    1. wonder what the hell the email's about. Okay, so in my haste, I was economic with explanations. My bad.
    2. check the IP and realise it's one of ours and alert someone accordingly
    3. check the IP and the port, realise it's running an IRC network, alert the customer, possibly even yank the IP in the meantime until it's sorted
    4. reply with boilerplate instructions on how to deal with a website DoS.

    In my (admittedly limited) experience of botnets, they're no longer just bragging rights in the skript kiddiot playground - they've recently become monetized in a number of ways:

    • spam n scam: paid spam relays to advertise cheap wares, hot teen sluts, phish payloads or click-to-own "invoices"
    • harvesting: running keyloggers or cookie-trawling/traffic-sniffing on end-user kit
    • extortion: blackmail and threats of DDoS
    • growth: pen-testing and brute-forcing other IP ranges to sign up more zombies

    So the mention of a botnet tends to ring alarm bells with me, if not the thought of my kit being in someone else's hands but customer reputation and potential of finding that other servers of mine are being attacked from within.

    But wehostbotnets.com? Flag the ticket low-priority.

    [1] yes, there are many attempts. Yes, there have been (three) successes in the past and I've learned by mistakes. No, my defence mechanisms have held pretty well over the past 10 years.



  • @Cassidy said:

    So the mention of a botnet tends to ring alarm bells with me
    If what you quoted of your mail to the provider was the entire content: I don't actually see any mention of a botnet in there...



  •  Yup, I actually reread the whole thing to find that word, but nope... 



  • Sorry, that was the body of the mail.

    The subject line read:  Botnet on 123.456.78.90 (no rDNS)

    Copy n paste fail on my part.



  • That's a little better. Still, your mail seems a little bit on the terse side.

    It's like an oncoming driver flashing his headlights at you. What the hell does he mean? Is one of my front lights broken? Did I leave my high beams on? Is there a speed trap ahead? Did he mistake me for someone he knows? Is it some senile 80 year old granny who thinks that's the switch for the wipers? Is he on drugs? All of the above?!

     



  • @Cassidy said:

    @Cassidy said:

    Found in an attempted exploit:

        "server"=>"123.456.78.90", "port"=>"54321"

    Testing:

        $ telnet 123.456.78.90 54321
        Trying 123.456.78.90...
        Connected to 123.456.78.90 (123.456.78.90).
        Escape character is '^]'.
        NOTICE AUTH :*** Looking up your hostname
        NOTICE AUTH :*** Found your hostname, cached
        NOTICE AUTH :*** Checking Ident
       (subsequent lines revealing an active IRC network running.)

    But wehostbotnets.com? Flag the ticket low-priority.

    Alternative solution: Give us the real IP and let's all see if we can break into it and take it out!



  • Trolleybus Mechanic

    @Cassidy said:

    Sorry, that was the body of the mail.

    The subject line read:  Botnet on 123.456.78.90 (no rDNS)

    Copy n paste fail on my part.

     

    I can see them thinking you're a user desperately calling out for help because you found a botnet on your site. Maybe you're locked out of your domain and have to email from an external host.

    It isn't a GOOD conclusion, and a bit of reading comprehension on their part would have revealed that.

    You might want to email them again saying "I am not the owner of this site. But I run a site that was attacked by this botnet. During my own security investigation, I was able to trace back to discover the C&C running on your servers as [technical details].  You can confirm and reproduce by doing [XYZ]".

     Send it from a throwaway, anonymous email address. Do it via a proxy while at a cybercafe. Because if the ISP is as technically clueless as they seem, they'll freak out about the botnet, assume you hacked them, and shoot the messenger by way of phoning the FBI and reporting you as a terrorist hacking paedophile.

     



  • @Anonymouse said:

    Still, your mail seems a little bit on the terse side.
     

    True. It wasn't the first I'd sent that evening, and I didn't pay enough attention, so I'll accept a kicking on that front.

    @Lorne Kates said:

    I can see them thinking you're a user desperately calling out for help because you found a botnet on your site.

    Their response suggested I was a user with a website being DoSed.

    @Lorne Kates said:

    It isn't a GOOD conclusion, and a bit of reading comprehension on their part would have revealed that.

    .. and a bit of research: it's their IP, it should be one of their users and the contact for that site/customer won't have matched my email.

    @Lorne Kates said:

    You might want to email them again saying "I am not the owner of this site. But I run a site that was attacked by this botnet. During my own security investigation, I was able to trace back to discover the C&C running on your servers as [technical details].  You can confirm and reproduce by doing [XYZ]".

    I have.. kinda. Sprinkle a bit of Blakeyrant through your response and it'll match what I sent. I really should learn to compose email whilst not snarling, mind.

    @Lorne Kates said:

    Because if the ISP is as technically clueless as they seem, they'll freak out about the botnet, assume you hacked them, and shoot the messenger by way of phoning the FBI and reporting you as a terrorist hacking paedophile.

    I kinda feared that, although being UK-bound the FBI have no jurisdiction and are also (understandably) cautious about shooting first, given their spate of high-profile IT embarrassments. 



  • @DaveK said:

    Alternative solution: Give us the real IP and let's all see if we can break into it and take it out!
     

    Good morals expressly forbid me from ever lowering myself to such practise.



  • Why are you hosting your website at such a sleazy-sounding webhost? Of COURSE there will be a botnet on your site if you host it at wehostbotnets.com!



  • I work on a Helpdesk, so here are my thoughts...

    - I wouldn't expect half the people on the helpdesk I work on to know what a botnet is. It's not something they need to know about. They do end user support; they're not sys-admins.

    - The amount of tickets we get with subject lines completely disconnected to the body message is unbelievable. The subject says the user has a virus, the body message says they can't send email, so it must be a virus. In the end, the only information you can trust on is on the body. It's not abnormal to write off subject lines after a while, even though it's still bad practice. 

    - While the people on the helpdesk at my work do know about IP's, DNS and DHCP, I doubt at least half won't know about ports. Why would they need to know a port number? Everything we use to connect to the user defaults to a port, and no end user issues I've encountered are port-related.

    - While we don't send out ticket status/priorities updates on our ticket updates, it's very common to fire off an email on the first contact to the ticket (IE, to get more details) before actually changing the default ticket priority (Which is low). It's probable this would be different if that priority were visible to the user.

    While I know it's still a WTF they sent you DoS info, I can't imagine what you expected them to do with only a brief sentence and a telnet log (Which no one on a helpdesk would know about either, nor do they need to. I just did a search on >100,000 tickets, 6 mention "telnet").

    All you needed to do was ask that this ticket be escalated to a System Admin and state an active third party is using their server’s illegally.



  • @Adanine said:

    <p class="MsoNoSpacing">

    You provided a sane, sensible reply, but you wrote it in Microsoft Word, so I'm going to complain about your post being dumb.



  • @Ben L. said:

    @Adanine said:
    <p class="MsoNoSpacing">
    You provided a sane, sensible reply, but you wrote it in Microsoft Word, so I'm going to complain about your post being dumb.
    If I type a post in CS on my browser, it'll time out after 5 minutes (Websense through company internet) and I lose the post. Also, it helps with spellcheck. Didn't realize it screws with CS :(. I'll go back to Notepad...

    Also, to clarify, my argument about port numbers is in relation to the below quote. I didn't mean to sound like I was against supplying the port number, only that it provides no information or use to the immediate contact.

    @Cassidy said:


    check the IP and the port, realise it's running an IRC network, alert the customer, possibly even yank the IP in the meantime until it's sorted


  • Discourse touched me in a no-no place

    @Adanine said:

    subject lines completely disconnected to the body message
    +1


  • ♿ (Parody)

    Did you forget to mention uncredited Mozilla testers in your email?



  • @Adanine said:

    I work on a Helpdesk, so here are my thoughts...

    • Blibble.
    • Ah, morning tea. Pukka!
    • Blobble.
    • Christ some people have no clue.
    • Blubble.
    • Ha ha, what a clown!.
    • Blabble.
    • What? I don't understand a word in this email. Ah well, fob them off with this...
    • Bleeble.
    • Quittin' time!


  • @Adanine said:

    - I wouldn't expect half the people on the helpdesk I work on to know what a botnet is. It's not something they need to know about. They do end user support; they're not sys-admins.
     

    Granted, I wouldn't expect them to know either. However, I would expect there to be some guidance upon what to do when receiving messages of this kind - or at the very least I don't expect abuse@the-hosting-company-in-question to be delivered to frontline helldesk that aren't equipped nor skilled enough to know how to address such incoming requests. I just made the assumption (from the sender name) that it was a first-line response (yet it was marked "Department:Abuse").@Adanine said:

    In the end, the only information you can trust on is on the body. It's not abnormal to write off subject lines after a while, even though it's still bad practice. 

    I've been cautious of putting specific words in the subject lines for fear of triggering false positives, so rely upon the body to have the relevant info. I once had a team leader who was bloody terrible at writing appropriate and relevant subject lines (he once reported a major incident to me with the subject of "Could you just..." - the remainder of the message finished the sentence of "... assist $people with $majorFailure" but I prioritised his mail based only upon talky subject content so it was low in my "read" list)

    @Adanine said:

    I can't imagine what you expected them to do with only a brief sentence and a telnet log (Which no one on a helpdesk would know about either, nor do they need to.

    "them" being the company -> investigate the issue and address it accordingly.

    "them" being the helldesk droid (if that's what it was) -> find someone who DOES understand this stuff and escalate it to the right people.

    @Adanine said:

    All you needed to do was ask that this ticket be escalated to a System Admin

    No - that's not for me to decide. Escalation procedures should begin within the the organisation, not with a request from the customer. I don't know their organisational structure so have no idea who within should be responsible for handling this issue.

    @Adanine said:

    and state an active third party is using their server’s illegally.

    I've no idea if it WAS a third party. I suspect it was - but again, it's not for me to decide, nor is it up to me to investigate to determine that fact. But I will still concede that I could have put more information on the ticket; I just made the assumption that those details should have been enough for someone to investigate.




  • Regarding botnets, i really hope this paper is bullshit : paper
    the quick reply is even worse than the default editor, colour me surprised



  • @swayde said:

    Regarding botnets, i really hope this paper is bullshit :
     

    It's not well-written...

    @paper said:

    After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand

    What... ALL of them?

    Either way... quite a lot of that paper rings true, or at least has a smell of plausibility about it - there are a few points that I certainly know to be true in the course of my own investigations.

     


  • ♿ (Parody)

    @Cassidy said:

    @paper said:
    After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand

    What... ALL of them?

    I read that to mean that based on their sample of 100K, there must be at least that many in the entire Internet based on extrapolating their sample results.



  • @Cassidy said:

    @paper said:

    After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand

    What... ALL of them?

    What kind of IP addresses are they looking at? It's quite possible that dozens of devices are behind each one. There's this thing called "NAT".



  • @Adanine said:

    I work on a Helpdesk, so here are my thoughts...

    - I wouldn't expect half the people on the helpdesk I work on to know what a botnet is. It's not something they need to know about.

    -  I doubt at least half won't know about ports. Why would they need to know a port number?

     I can't imagine what you expected them to do with a telnet log (Which no one on a helpdesk would know about either, nor do they need to. ).

    Please post the name of your company so I know to never do business with them.

     



  • @blakeyrat said:

    It's quite possible that dozens of devices are behind each one.

    "quite possible" is more a "maybe". Contrasts with "at least" which means "definitely is at minimum".

    @boomzilla said:

    based on extrapolating their sample results

    Okay, that makes more sense: scaling up the percentage of the results.



  • @Cassidy said:

    No - that's not for me to decide. Escalation procedures should begin within the the organisation, not with a request from the customer. I don't know their organisational structure so have no idea who within should be responsible for handling this issue.
    There's politics behind this one: [End-user] Helpdesk is tasked to do as many small jobs as possible, but escalate the larger, more complicated jobs. This line is blurry as hell, and the Service Desk cop flak for escalating jobs that should not be escalated all the time. Keep in mind that the next step up from Service Desk is a Sys-admin, and constantly annoying your main chance of escape from the service desk is not a good idea.

    I agree 100% that the organisation itself should handle all escalations, and that there is a WTF in the Service Desk sending DoS information when it clearly did not know the ticket. I only wanted to voice my view on some of the assumptions you made.

    Did you get an email after with notice that they closed the ticket?

    @El_Heffe said:
    Please post the name of your company so I know to never do business with them.
    I'm sorry, do you expect your local McDonalds employees to know how to build a house? Do you expect your local waiters to know how to operate a power plant? Does your local Veterinarian even know how to pilot commercial aircraft? Perhaps all the members on your favourite cricket team need to know Prolog?

    Why would any company hire someone that could cost a lot more because they know skills they'll never use in the job? It's not [End-user based] service desk's job to know anything about what you've quoted. It hasn't been for some time now. If something comes in with a telnet log attached to it, we escalate to the sys-admins.



  • @swayde said:

    Regarding botnets, i really hope this paper is bullshit : paper
    the quick reply is even worse than the default editor, colour me surprised
    The pictures are pretty, but I'm more concerned about the download section. (assuming this is genuine) So he just released, to the general public, a list of all open ports for basically every machine on the internet, ever? Including afromentioned VPN gateways, industry device controllers, door locks , half a million printers and several million web cams? What could possibly go wrong?



  • @Adanine said:


     @El_Heffe said:

    Please post the name of your company so I know to never do business with them.
    I'm sorry, do you expect your local McDonalds employees to know how to build a house? Do you expect your local waiters to know how to operate a power plant? Does your local Veterinarian even know how to pilot commercial aircraft? Perhaps all the members on your favourite cricket team need to know Prolog?

    Why would any company hire someone that could cost a lot more because they know skills they'll never use in the job? It's not [End-user based] service desk's job to know anything about what you've quoted. It hasn't been for some time now. If something comes in with a telnet log attached to it, we escalate to the sys-admins.

    To be able to escalate the correct tickets to the sys-admins requires recognizing a telnet log (or anything else that needs escalating). I seriously doubt your helpdesk people can do that if what you say about them in the post El_Heffe quoted is true.



  • @Adanine said:

    This line is blurry as hell
     

    But it SHOULDN'T BE. There should be clear guidance about addressing matched incidents and escalation procedures.@Adanine said:

    I agree 100% that the organisation itself should handle all escalations, and that there is a WTF in the Service Desk sending DoS information when it clearly did not know the ticket. I only wanted to voice my view on some of the assumptions you made.

    Oh. I should read.@Adanine said:

    Did you get an email after with notice that they closed the ticket?

    Nope. Nothing yet.

    And I've just checked... and the C&C is still alive and thriving on that port. @Adanine said:

    If something comes in with a telnet log attached to it, we escalate to the sys-admins.

    Or - in other words - you actually have procedures in place that determine the most appropriate routing based upon content. Something that WeHostBotnets either:

    • don't appear to have (was routed to the wrong person)
    • have incompetant sysadmins (routed to the right person that gave an incorrect reply)

     

     

     


  • Considered Harmful

    @PSWorx said:

    @swayde said:
    Regarding botnets, i really hope this paper is bullshit : paper
    the quick reply is even worse than the default editor, colour me surprised
    The pictures are pretty, but I'm more concerned about the download section. (assuming this is genuine) So he just released, to the general public, a list of all open ports for basically every machine on the internet, ever? Including afromentioned VPN gateways, industry device controllers, door locks , half a million printers and several million web cams? What could possibly go wrong?

    Well, considering they just published a how-to guide on how to start your own distributed botnet, I don't think disclosing the affected machines is much worse. I mean, they just told you how to find them for yourself.



  • @Quincy5 said:

    To be able to escalate the correct tickets to the sys-admins requires recognizing a telnet log (or anything else that needs escalating). I seriously doubt your helpdesk people can do that if what you say about them in the post El_Heffe quoted is true.
    This is true, but as I said earlier, a Telnet log is not a normal example of this. I just checked, all 6 of those tickets I mentioned earlier (That contain "telnet") are either IT Sys Admin's logging an issue themselves, or users who are CC'ing the Helpdesk email while sending email to a Sysadmin. In both cases we had other procedures to direct that ticket.

    Reports are done to the scope of what issues come in. While we have an official procedure on what to do with a ticket as it comes in (A huge flowchart), the basic procedure that gets done is "If a ticket that you don't understand comes in, ask one of the very technical in SD members (Ie, me) where it goes".

    Even then there's not many, and most of those are the IT savvy employees using too many Acronyms to make it obvious whether it's a server issue or an application issue.

    @Cassidy said:
    But it SHOULDN'T BE. There should be clear guidance about addressing matched incidents and escalation procedures.
    I agree. Where I work probably falls short there too. To review each individual ticket to escalate and prioritise takes time, and the management thinks that only a quick pass is necessary and that any missed alarms or false alarms are worth the extra time on actually solving the tickets. It's not Management's fault either, Service Desk has always been measured as "X Tickets done".

    I wish the system was different, but in the end we're encouraged to close tickets more then we are to solve issues.



  • @Adanine said:

    To review each individual ticket to escalate and prioritise takes time
     

    .. but that's a practise you already do, surely:@Adanine said:

    While we have an official procedure on what to do with a ticket as it comes in (A huge flowchart), the basic procedure that gets done is "If a ticket that you don't understand comes in, ask one of the very technical in SD members (Ie, me) where it goes".

    @Adanine said:

    and the management thinks that only a quick pass is necessary and that any missed alarms or false alarms are worth the extra time on actually solving the tickets. It's not Management's fault either, Service Desk has always been measured as "X Tickets done".

    Yes, it is management's fault, since management decided those metrics (does "done" mean "answered" or "closed"...?) but for all I know having more issues sorted at the expense of a few reworking provides much greater value than lingering over each and every one, so that's why it is the way it is and a decision was taken on that.

    @Adanine said:

    I wish the system was different, but in the end we're encouraged to close tickets more then we are to solve issues.

    That's the purpose of the Service Desk. It's up to someone else to perform problem management to diagnose and fix the issue from arising in future, rather than implementing a quick-fix leading to "ticket closed".



  • Just had an response (different sender)

    @weHostBotnets said:

    Subject: [~BOT-123456]: Botnet on 123.456.78.90 (no rDNS)

    Hello,

    Thanks for the update
    --
    Follow us on Twitter : @botnetcentral

    If you have any concerns or comments please feel free to ask for your ticket to be esculated to management.

    Ticket Details
    ===================
    Ticket ID: BOT-123456
    Department: Abuse
    Priority: Low
    Status: Closed

    .. and I've just tested their server:

    @testing said:

    $ telnet 123.456.78.90  54321
    Trying 123.456.78.90...
    Connected to 123.456.78.90 (123.456.78.90).
    Escape character is '^]'.
    NOTICE AUTH :*** Looking up your hostname
    NOTICE AUTH :*** Checking Ident
    NOTICE AUTH :*** Found your hostname

    I've asked for it to be "esculated".


  • Discourse touched me in a no-no place

    @Cassidy said:

    telnet 123.456.78.90
    Do you work for CSI by any chance?



  • Perhaps you should tell them using easier words. Maybe they don't understand the "short way" of saying it.



  • @PJH said:

    @Cassidy said:
    telnet 123.456.78.90
    Do you work for CSI by any chance?
     

    It's IPv6, so each octet is in the range 0-65536. Y U NO NOTHN?

    @Ben L. said:

    Perhaps you should tell them using easier words. Maybe they don't understand the "short way" of saying it.

    Yeah, I'm fast getting that impression.

    However, I've also googled searched for articles about the hosting co in question and they don't have a great reputation, so I'm reluctantly accepting that they won't really take any action against someone abusing one of their servers in this way.


  • Considered Harmful

    @Cassidy said:

    I'm reluctantly accepting that they won't really take any action against someone abusing one of their servers in this way.

    I guess your alias for them was more accurate than you ever feared.


  • Discourse touched me in a no-no place

    @Cassidy said:

    @PJH said:

    @Cassidy said:
    telnet 123.456.78.90
    Do you work for CSI by any chance?
     

    It's IPv6, so each octet is in the range 0-65536. Y U NO NOTHN?

    As any fuel nose, IPv6 uses colons, not periods as a separator.



  • @PJH said:

    As any fuel nose, IPv6 uses colons, not periods as a separator.
     

    But.. but.. they ARE colons!



  • @Cassidy said:

    But.. but.. they ARE colons!
     

     

    hu?



  • @dhromed said:

    hu?
     

    .. is the sound normally heard when dhroming finds the purple dildo has been returned to its home: his colon.

    - - -

    On a more related note... I've also found similar activity taking place at another hosting company, which I'd reported earlier and - looking back at my logfiles - I can see this has bene going on for almost 3 weeks. Checking my emails I can see I've emailed the WHOIS contacts of both them and their parent company, given that the whois info is a bit confused (one line says "AbuseEmail: netops@youngkiddy" but further down comments state "all suspicious activity should be reported to abuse@bigdaddy") ... and I've received no response from either.

    The DNS is unresolvable, but rDNS for serverIP+1 and serverIP-1 both resolve to hosts at a third domain, so I checked their info. Sure enough, they have a abuse@oldersister address, so I forward the email - containing my logfile - off to that address with a note that I suspect the server to be compromised.

    Five mins later I receive an reply from sales@oldersister, informing me that I need to contact abuse@oldersister and also supply evidence of the activity, such as logfile entries.

    They'd top-replied to the email I'd just sent them.



  • @Cassidy said:

    @dhromed said:

    hu?
     

    ..

     

    THEY'RE NOT COLONS

     



  • @dhromed said:

    @Cassidy said:

    ..

     

    THEY'RE NOT COLONS

     

    It's just sleeping.

    Now stop shouting else you'll wake it up.

    Footnote: just had a response from sales@oldersister, informing me they don't have access to abuse@oldersister and that I should contact them directly.

    Somewhere, some mail admin's gonna get a right kicking.

     



  • @Cassidy said:

    It's just sleeping.

    Now stop shouting else you'll wake it up.

     

    POTATO

     



  • @dhromed said:

    POTATO
     




  • @Cassidy said:

    (one line says "AbuseEmail: netops@youngkiddy" but further down comments state "all suspicious activity should be reported to abuse@bigdaddy")
     @Cassidy said:
    abuse@oldersister
    YoungKiddy, BigDaddy, OlderSister.   WTF kind of business is this?



  • @El_Heffe said:

    WTF kind of business is this?
     

    Commonly known as "mom and pop shop", but the yung'unz are all growed oop and are now taking an active interest in the family biznezz.


Log in to reply