Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Infected list

  • From: Florian Weimer
  • Date: Mon Dec 26 14:49:07 2005

* Barrett G. Lyon:

> Here is a list of the compromised machines used in this new botnet we  
> found in California.  These are all web servers connected to good  
> bandwidth and they are attacking us, so as a nice little holiday gift  
> to me, please clean your network up if these are on your network.  :)

It's usually better not to run DNS resolution on the IP addresses you
have because DNS is so volatile[1].  Mapping host names to IP address
is rather expensive, too, and the casual bot-hunter may not have the
necessary tools.  (And I doubt that many bot hunters work at
web-hosting companies...)

Timestamps are usually required to pin-point an attack, but if the
compromised hosts are mostly largish web servers, they should have
static IP addresses and some kind of accounting where you can see that
something went terribly wrong.

[1] I assume you have verified those host names using a forward
    lookup.  Relying on PTR records alone is not a good idea.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.