18198608
submission
Ironlenny writes:
Even though the news is a week old, it is worth mentioning that "Pioneer One" has released it's second episode. "Pioneer One" has previously appeared on Slashdot for the projects use of donation driven funding, Creative Commons license, and BitTorrent coupled with an inventive and engaging story.
11239832
submission
Ironlenny writes:
A friend and I spent the day working on a families network with Qwest Business connection. This family had be notified a week prior by Qwest that they were part of a botnet and as such were no longer allowed access to the network. After talking with customer service, the connection was reinstated, but they continued to receive email notifications. There was also an attempt by a third party to gain account information over the phone during this period (he was calling from an unidentified number). My friend ran several malware removal tools (Spybot Search & Destroy, Ad-Aware, AVG from a rescue disk, and others I don't remember), all scans were clean. He also ran Trend Micro's RUBotted on all the machines from the day they had their connection suspended up to today, and nothing was found. There is no unusual internal network activity. As far as we can tell, none of the machines are infected with anything.
Qwest was still saying that the family is running a bot net. When asked for, Qwest did provided a log of the suspicious activity. There are only three IP addresses in the logs. They all resolve to the same domain in the same German city. It appears that the domain is registered with T-Mobile. What is interesting is when we were checking the modem settings, we found two IP addresses that were unaccounted for (the family was using the modem as a wireless router). I used nmap to probe the suspect addresses. One address was 192.168.0.101 (unusual because it was far larger than the other address on the network), and the other was 192.31.80.30. 192.31.80.30 was listening on port 53 which (in my limited research) appears to be associated with a the ADM Worm. 192.168.0.101 had four ports open: 2869 (UPnP?), 3389 (MS Terminal Service), 4224 (xtell messaging service), and 8292. Port 8292 seemed to be querying several different protocols: SMB, LDAP, DNS, and X11. There was more in nmap's dump for the port, but those were the protocols I could identify off hand. Those two addresses were present and resolvable when only my Ubuntu netbook (which is clean and had never been connected to their network before) was physically connected to the modem and the WiFi radio was off.
While I was running the port scans, my friend was talking with Qwest Tech Support. During the course of the conversation, it was mention by Tech Support that they had received numerous complaints about connection issues related to botnets similar to our problem (this from what I overheard and what my friend told me.) I should also mention that we tried three different modems, all different models, and the same two address came up. On one of the modems, we actually had more than the two abnormal addresses, but I didn't run any scans on those. Our final solution was to use the modem in transparent bridge mode, with an IPCop box connecting directly to Qwest's servers.
I have three questions: Is it possible that Qwest's modems have been compromised and are being used to propagate botnets? Were we through enough in our investigation, or did we miss a step which could have led us in another direction? If the modem is compromised, will operating it in transparent bridge mode render the vulnerability moot?
