Page 1 of 1

trojan bots flood what should i do?

Posted: Mon May 30, 2005 5:37 pm
by sageek
Lately, my server is getting attacked by some moron (clones, floods).
at first i thought it is proxies and installed bopm, after getting another attack, and bopm stands steal and killed like 3 of 300, i firgured something is not right.

I ran nmap on few of the hosts and found radmin (4899) and realvnc(5900), those ports prolly allow the hacker to take remote control.

so i figured it prolly xdcc, or ddos bots.

is there anything to do agiesnt them?
I thought might to make a script asking for version at connect, and if no respone then shun the user, tho it can catch poor users who ignore tcp, or lagged users.
clues?
is there anyway to add to bopm those ports? i tried to add them to all the protocols there, no clue if it will help.

Untill next time,
yours, sagi :)

Re: trojan bots flood what should i do?

Posted: Mon May 30, 2005 6:21 pm
by Matridom
sageek wrote:Lately, my server is getting attacked by some moron (clones, floods).
at first i thought it is proxies and installed bopm, after getting another attack, and bopm stands steal and killed like 3 of 300, i firgured something is not right.

I ran nmap on few of the hosts and found radmin (4899) and realvnc(5900), those ports prolly allow the hacker to take remote control.

so i figured it prolly xdcc, or ddos bots.

is there anything to do agiesnt them?
I thought might to make a script asking for version at connect, and if no respone then shun the user, tho it can catch poor users who ignore tcp, or lagged users.
clues?
is there anyway to add to bopm those ports? i tried to add them to all the protocols there, no clue if it will help.

Untill next time,
yours, sagi :)
spamfilters work real well to clean out these types of attacks

if you post some examples of the names that these bots are using to connect, i'm sure someone will be able to post an accurate regex to stop the connections.