Storm Worm Strikes Back at Security Pros 371
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
Re:Contact the users (Score:3, Informative)
http://it.slashdot.org/article.pl?sid=07/10/05/1234217 [slashdot.org]
Re:oh yeah, so scared (Score:1, Informative)
Re:Wait a minute... (Score:4, Informative)
Re:Sounds ripe for abuse (Score:4, Informative)
Unless the dev's think long and hard on how to attack it and work in ways to avoid it I doubt they put that feature in.
Re:Wait a minute (Score:2, Informative)
Re:Contact the users (Score:5, Informative)
I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.
I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.
Re:Wait a minute... (Score:4, Informative)
Re:Wait a minute... (Score:3, Informative)
Re:Contact the users (Score:4, Informative)
just in case they might eventually get lucky...
Re:Kung Fu Style? (Score:3, Informative)
Re:Contact the users (Score:1, Informative)
http://it.slashdot.org/article.pl?sid=07/10/05/1234217 [slashdot.org]
The cracked Linux boxes are controlling the Windows machines.
It's worse than we thought...far worse.
Re:Contact the users (Score:3, Informative)
Re:Contact the users (Score:3, Informative)
Re:Contact the users (Score:5, Informative)
Yep, mea cupla :-(
Not keeping up with my sys-admin duties.
I've seen this kind of thing in the logs for quite a while, but not at this level (1000's of attempts in a day). I hadn't noticed the increasing rate. A case of familiarity breeds contempt, "yep, seen those before .. not much can do about them" without really checking how often they happen.
I remember when I first saw them appearing I contacted my ISP, and their reaction was much the same "yep, thats what happens when you connect a box to the net". I offered to pass on the IP addresses but they weren't interested. I got the impression they see thing kind of thing all the time.
What do people suggest I do with the IP addresses of hosts doing the scanning ? Is it worth checking the whois information and contacting the sys admin or abuse email address if there is one ?
Re:Contact the users (Score:2, Informative)
Oct 24 19:21:40 UtopiaPlanetia sshd[10319]: Failed password for invalid user staff from 74.86.168.131 port 51218 ssh2
Oct 24 19:21:43 UtopiaPlanetia sshd[10321]: Failed password for invalid user sales from 74.86.168.131 port 51494 ssh2
Oct 24 19:21:46 UtopiaPlanetia sshd[10323]: Failed password for invalid user recruit from 74.86.168.131 port 51739 ssh2
Oct 24 19:21:49 UtopiaPlanetia sshd[10325]: Failed password for invalid user alias from 74.86.168.131 port 51998 ssh2
Oct 24 19:21:52 UtopiaPlanetia sshd[10328]: Failed password for invalid user office from 74.86.168.131 port 52226 ssh2
Oct 24 19:21:53 UtopiaPlanetia denyhosts: Added the following hosts to
Oct 24 19:21:55 UtopiaPlanetia sshd[10333]: refused connect from