Omigod, I’m Part of a Botnet?!?!?!

Posted August 2nd, 2007 by

Yesterday I got a hasty call from Jon D about my server. He had checked out my blog from work and within an hour got a call from a Symantec SOC that he was looking at a web page that was part of a botnet.

So he called me.

Back 4 years ago I had set up an IRC network for a friend, including my server as one of the nodes. Over time the network died, as they do, and when I moved the server a couple of times over the course of several years, the ircd didn’t come back up.  The ircd.conf didn’t match up with the network interfaces on the box, so ircd would croak every time it tried to start up.

Well, I guess the last server move did something that the ircd did like because it came back up and stayed up.  Bah, that’s resiliency in action for you, kids.

When I got the call from Jon I knew exactly what it was.  It took about 2 minutes to ssh in,verify that there were 8 dirtballs squatting on my server, kill the ircd, and kill the line in crontab that restarts the server if/when it dies.  Problem solved, now back to playing zombie hack-n-slash games.

In an OS sense, there wasn’t a compromise or anything, just the greasies using the application like it was intended to be used, only with a different intent.



Similar Posts:

Posted in Hack the Planet, Technical, The Guerilla CISO | 2 Comments »

2 Responses

  1.  shrdlu Says:

    I’m actually very impressed that the Symantec SOC picked it up and reacted!

  2.  rybolov Says:

    Hey, I was trying to avoid vendor-bashing, remember? =)

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: