Belgacom infected Botnet attacks give Belgium Bronze in Botnet battle
Should it be true what sources are telling ? That the Russian problem on our Belgian net is bigger than the media let us to believe ?
The numbers on this international attack monitoring site may give us more info
For the moment we are the third country in the whole world infected by attacks and attacking others just behind China and the US. Wow this little country can be famous in so many mysterious ways.
The traffic is mostly windows port 445 and 135 and some 139
80% of these attacks is according to Atlas the ASN CVE-2003-0818
|Age: 1321 days||Severity: High||CVSS Score: 7.0|
and for this kind of attack we have won the Olympic Gold medal
And Belgacom network is the main source of the attack
and the main sources are
We are also conducting botnet DDOS attacks against others, which is normal if you are infected and also scanning for other vulnerable computers.
And further down the pages you can see there is actually one botnet
So how much time will it cost to bring down 1 (you have read it right) botnet and clean up the mess of the infected pc/servers (before another botnet recuperates them) ?
Tips for network admins
* Block all ICQ traffic on your firewall if you haven't do so already. Period. Why because most of the botnetcommands come by ICQ. Also block on every port any destination with ICQ in it. And are you sure everybody needs pure FTP on port 21 ? Or that any PC has to be he's own mailserver on port 25 ?
* look at your firewall for internal scanning traffic if you have diverted all non-responsive scanning traffic (to non-existant servers for example). Throw the pc's and servers that are scanning wildly your internal network off the network. Period. Desinfect and monitor and if it ain't succesful you will need an antirootkit tool or in the worst case you have lost the pc/server and you will have to backup on a seperated backup the docs and totally re-install the server/pc.
* contact the networkadmins of the official network or the ISP's about belgian based scanning and attacking traffic. You can try the e-cops or BIPT but I am not sure if they already have a cyberinfrastructure defense procedure. ...
* limit your outbound traffic to normal ports (for users this would only be 80, 8000, 8080, 443, 53 (if you don't have an internal DNS relay server),....)
* I presume that your pc's/servers are all updated and have a antivirus, firewall and so on ?
and please, help those guys building placing more monitors http://www.arbornetworks.com/atlas_register.php