Please help us in a collaborative effort to reduce security threats on your Quillhost servers and our network. Check for any security holes, vulnerabilities, or infections.  We've provided the following links that may be helpful:

Introduction to Botnets:
http://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets

Botnet Detection:
http://www.shadowserver.org/wiki/pmwiki.php/Information/BotnetDetection#host

For Windows Operating Systems:
http://support.microsoft.com/contactus/cu_sc_virsec_b107


Unix System owners
A favorite place for hiding the bot(s) is in /tmp/ and in /var/tmp/ or /dev/shm/ or in a users /home/ directory sometimes it may be hidden like /tmp/".  ."/ or similar.

The bot files can usually be found by running these one line commands as the root user.

find / -exec grep -l "undernet" {} +
find / -exec grep -l "sybnc" {} +
find / -name "*.set" | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq
find / -name "inst" | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq

netstat -tanp
lsof -i tcp:

*netstat looking for connections to remote port 6667 or the range of ports between 6660-7000 once you find the port you can use the command, lsof -i tcp:portnumber to determine which process/user it is running under, and terminate it.

Please re-familiarize yourself with our Quillhost's Terms of Service and Acceptable Use Policy

We encourage everyone to take the time to make sure their machines are secured.  This applies to both Windows and Linux servers.  By securing each server individually, you are protecting yourself, and others around you.

Date Published : Saturday, July 2, 2011