Should I be worried? CandC server

[t3st]

Hi there,
I have scanned the wi-fi in my workplace and have come across this connection:
CandC (00:**:7f:**:d6:**)
[WPS ESS]
[WPA-PSK-TKIP]
Ch 6 2437mhz
I have googled CandC server and worryingly came across this:
"A botnet's originator (known as a "bot herder" or "bot master") can control the group remotely, usually through an IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server."
So is this CandC server I have found something to worry about?
Please can you advise if there are innocent CandC servers or always related to botnets?
Thanks for your time,

[hayabusa]

Without more information, I would have a hard time telling you that THIS particular machine you've listed is a C and C botnet controller / host, or simply a machine going by that name.  I fact, I have my doubts that it is, at least, solely from the information you've given us, thus far.  A name, alone, means little.

That said...

What tool did you use to 'scan' the wireless?  Where did you come by the name, "CandC"?  Can you, at least, give us the first set of MAC address numbers that you left out (between the 00 and 7F) so that we can see who makes the adapter (assuming it's MAC wasn't altered)?  What ports does it have open, etc?  We have VERY little information, here, to even begin to tell you anything about this box.

Let's assume, for instance, that it IS a C and C botnet box.  I'd be hard pressed to think the code would 'advertise' itself as C and C, as usually, they wouldn't want to be detected.  It's more likely just a chosen name that someone gave this box.  What I'd recommend / propose, is that you take the hostname and IP address, give it to IS&T (unless that's you), at your workplace, and let them find said machine and investigate it.  If your work has wifi, then it would be assumed that someone there would be capable of locating the box in question.  If not, I think it's time they contract someone who can.

[chrisj]

I wonder if someone named it CandC, meaning CNC.

[hayabusa]

Honestly wondered the same, but as there's been no further reply / info given...

[t3st]

Hi there, thank you for your replies.

I didn't want to put down to much information, as if it was innocent, I would be posting details of an actual server on a public forum. I am in the "recon" stage of my learning and have been reading about how network admins make the mistake of doing this, so I was careful not to do the same.
I was using an android app called wi-fi analyser, but the CandC doesn't appear on another app called Network discovery (that brings up so many ip add's of computers, servers and mobile phones).

I have notfied our DBA.

[hayabusa]

OK.  Well, if further info comes up, or more specific questions arise, we'll see what help we can provide, at that time.

[t3st]

Thanks Hayabusa

rgds

[Andrew Waite]

t3st,

assuming by wifi analyser you mean the wireless tool by Farpoc?

I use the same tool, as it's essentially a wireless spectrum analyser similar to aircrack/kismet/etc, My guess is CandC is merely a SSID of a neighbouring AP and (hopefully) not a direct threat to your environment.

[chrisj]

I'm using the one by Farpoc, but other than finding access points, I haven't noticed it doing some of the same things of air crack or Kisment. Those don't just show the access points, but end points too.

The nice thing about Wifi Analyser, it helps you find the least congested channel.

[ajohnson]

Maybe it's for multiplayer Command and Conquer games.

Legitimate attackers would probably be more discreet. I'm personally more suspicious of "Free WiFi" SSIDs