"That which is overdesigned, too highly specific, anticipates outcome; the anticipation of outcome guarantees, if not failure, the absence of grace."
-- William Gibson, All Tomorrow's Parties
"It's a trick. Get an axe."

Spent the day playing wack-a-mole with a worm. It was mildly entertaining for the first hour... then it really started wearing thin. And it's not over yet. The initial box looked to be an owned Linux machine, probably popped via an unpatched cPanel install. A second infecting machine is still running, however, and tomorrow will be lots of fun dismantling the botnet the skiddies put together today.

Yay for infosec.

There was one seriously braindead moment for me late into the afternoon where I was staring at tcpdump output, trying to figure out why one of the comp'd hosts was synflooding the C&C. It wasn't until I talked to Harry that it became obvious that the C&C had been taken down and the worm was astoundingly poorly written. It would spam a SYN, get a RST, then loop, immediately. Awful.

It did bring up an interesting point, though... all the source ports were in the 2100-2200 range. Made me wonder if that was something the author had specified or if that was just how Windows manages source port allocation. I don't know anything about it, really.

Tomorrow will likely be more of the same, though rather than doing it all manually I will definitely be automating a good portion of the process.

It could only have been more tedious if I had to run every freakin' SNMP query to kill the ports by hand...

April 26, 2005 8:59 PM