By John E. Dunn
18 November 2008
Large numbers of infected computers have been searching in vain for the
Srizbi botnet disrupted by the disconnection of ISP McColo a week ago, a
security vendor has found.
According to FireEye Security, the company has detected a total of
450,000 compromised IP addresses have been trying to connect to
Sribzi-controlled command and control computers that would have been
hosted by McColo until it disappeared.
The company identifies Srizbi by monitoring computers that attempt to
connect to IP addresses 18.104.22.168 or 22.214.171.124 from November 12
onwards, and recommends that admins check firewall logs to trace http
traffic opening ports to these locations.
The majority of infected PCs will likely be poorly-protected consumer
PCs, but in principle an IP connection attempts can come from any PC,
servers included. If infected PCs are located on a network, the company
cautions that cleaning a system might not be straightforward.
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!