Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Security Discussion » Help ID'ing Spambot

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Help ID'ing Spambot


Posted by Buzz88 on May 03, 2008 16:08:33

I have a couple of boxes that connect out to 128.241.20.244, 64.254.235.132, and 64.254.235.136 on port 443 (https). They seem to pick up bot request and will on occasion send out a burst of spam. The packets to / from these boxes seem to be encrypted.

I've done everything but reload the boxes that are doing it and for now I've caged it by redirecting to routes to these ips to the local net. I'd like to isolate and be able to detect this on the box before I flatten them for future.

Any suggestions for what I have and/or what to do to further id the critter?


site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.