An administrator is investigating a system that may potentially be compromised, and sees the following log
entries on the router.
*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 126.96.36.199(57222) (FastEthernet 0/3) -> 10.10.1.5
(6667), 3 packets.
*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 188.8.131.52(57222) (FastEthernet 0/3) -> 10.10.1.5
(6667), 6 packets.
*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 184.108.40.206(57222) (FastEthernet 0/3) -> 10.10.1.5
(6667), 8 packets.
Which of the following BEST describes the compromised system?
It is running a rogue web server
It is being used in a man-in-the-middle attack
It is participating in a botnet
It is an ARP poisoning attack
In this question, we have a source computer (220.127.116.11) sending data to a single destination IP address
10.10.1.5. No data is being received back by source computer which suggests the data being sent is some kind
of Denial-of-service attack. This is common practice for computers participating in a botnet. The port used is
TCP 6667 which is IRC (Internet Relay Chat). This port is used by many Trojans and is commonly used for DoS
Software running on infected computers called zombies is often known as a botnet. Bots, by themselves, are
but a form of software that runs automatically and autonomously. (For example, Google uses the Googlebot to
find web pages and bring back values for the index.)
Botnet, however, has come to be the word used to describe malicious software running on a zombie and under
the control of a bot-herder.
Denial-of-service attacks—DoS and DDoS—can be launched by botnets, as can many forms of adware,
spyware, and spam (via spambots). Most bots are written to run in the background with no visible evidence of
their presence. Many malware kits can be used to create botnets and modify existing ones.