427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	162/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 158 159 160 161 162 163 164 165 ... 387

Bog'liq
Botnets - The killer web applications

Inbound . Now look for entries with the action type Open-Inbound

www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
193
427_Botnet_05.qxd 1/9/07 9:59 AM Page 193

2006-11-13 18:44:37 OPEN TCP 131.252.116.92 131.252.123.214 2418 135 - - - -
- - - - -
2006-11-13 18:44:37 OPEN TCP 131.252.116.92 131.252.123.214 2419 1025 - - -
- - - - - -
2006-11-13 18:50:49 OPEN-INBOUND TCP 61.177.180.6 131.252.116.92 3027 3389 -
- - - - - - - -
2006-11-13 18:50:52 CLOSE TCP 131.252.116.92 61.177.180.6 3389 3027 - - - -
- - - - -
2006-11-13 18:51:15 DROP UDP 131.252.116.176 255.255.255.255 68 67 328 - - -
- - - - RECEIVE
2006-11-13 18:51:18 DROP UDP 131.252.116.176 255.255.255.255 68 67 328 - - -
- - - - RECEIVE
If you open the firewall log in Notepad, it will look like Table 5.2. If you
delete from the beginning of the file to the colon after the word
Fields
, the
remaining text can be opened or copied into an Excel spreadsheet. Use the
Data
menu to select the
Text to Columns
option. In the
Text to
Columns
dialog box, select the
Delimited
option and chose
Spaces
as the
delimiter, then choose
Finish
. With the data in this format you can begin the
analysis.
We usually copy the worksheet to another tab, then select the entire
worksheet and sort by action, src-ip (source IP address), and dst-port (destina-
tion port). Change the name on this tab to
Inbound
. Now look for entries
with the action type
Open-Inbound
. For most workstations, this should
occur rarely, as we have mentioned.These entries will usually represent
botnet-related traffic. It could be the botherder remote controlling the bot
client. If the payload for the botnet involves file transfers, such as the distribu-
tion of stolen movies, music, or software, the inbound connections could rep-
resent customer access to the bot client. In the sample firewall log data in
Table 5.3, the inbound connection using port 4044 to an external site was an
FTP connection to the stolen movies, software, and games. Legitimate
inbound connections might include domain administrators connecting to the
workstation for remote administration.You should be able to recognize legiti-
mate ports and source IP addresses.The ones that are not clearly legitimate
are candidates for the ports that are used by the botnet. Sometimes you can
try connecting to these ports to see what information they reveal. Examining
other network logs for candidate IP addresses that appear on multiple victims
can identify additional infected victims.

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 158 159 160 161 162 163 164 165 ... 387