December 17, 2012 at 11:48 am #8076
I have scanned the wi-fi in my workplace and have come across this connection:
Ch 6 2437mhz
I have googled CandC server and worryingly came across this:
“A botnet’s originator (known as a “bot herder” or “bot master”) can control the group remotely, usually through an IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server.”
So is this CandC server I have found something to worry about?
Please can you advise if there are innocent CandC servers or always related to botnets?
Thanks for your time,
December 17, 2012 at 2:01 pm #51183
Without more information, I would have a hard time telling you that THIS particular machine you’ve listed is a C and C botnet controller / host, or simply a machine going by that name. I fact, I have my doubts that it is, at least, solely from the information you’ve given us, thus far. A name, alone, means little.
What tool did you use to ‘scan’ the wireless? Where did you come by the name, “CandC”? Can you, at least, give us the first set of MAC address numbers that you left out (between the 00 and 7F) so that we can see who makes the adapter (assuming it’s MAC wasn’t altered)? What ports does it have open, etc? We have VERY little information, here, to even begin to tell you anything about this box.
Let’s assume, for instance, that it IS a C and C botnet box. I’d be hard pressed to think the code would ‘advertise’ itself as C and C, as usually, they wouldn’t want to be detected. It’s more likely just a chosen name that someone gave this box. What I’d recommend / propose, is that you take the hostname and IP address, give it to IS&T (unless that’s you), at your workplace, and let them find said machine and investigate it. If your work has wifi, then it would be assumed that someone there would be capable of locating the box in question. If not, I think it’s time they contract someone who can.
December 18, 2012 at 3:34 am #51184rattisParticipant
I wonder if someone named it CandC, meaning CNC.
December 18, 2012 at 4:11 am #51185
Honestly wondered the same, but as there’s been no further reply / info given…
December 18, 2012 at 10:45 am #51186
Hi there, thank you for your replies.
I didn’t want to put down to much information, as if it was innocent, I would be posting details of an actual server on a public forum. I am in the “recon” stage of my learning and have been reading about how network admins make the mistake of doing this, so I was careful not to do the same.
I was using an android app called wi-fi analyser, but the CandC doesn’t appear on another app called Network discovery (that brings up so many ip add’s of computers, servers and mobile phones).
I have notfied our DBA.
December 18, 2012 at 11:58 am #51187
OK. Well, if further info comes up, or more specific questions arise, we’ll see what help we can provide, at that time.
December 18, 2012 at 2:29 pm #51188
December 19, 2012 at 10:36 am #51189RoleReversalParticipant
assuming by wifi analyser you mean the wireless tool by Farpoc?
I use the same tool, as it’s essentially a wireless spectrum analyser similar to aircrack/kismet/etc, My guess is CandC is merely a SSID of a neighbouring AP and (hopefully) not a direct threat to your environment.
December 19, 2012 at 3:59 pm #51190rattisParticipant
I’m using the one by Farpoc, but other than finding access points, I haven’t noticed it doing some of the same things of air crack or Kisment. Those don’t just show the access points, but end points too.
The nice thing about Wifi Analyser, it helps you find the least congested channel.
December 20, 2012 at 6:10 pm #51191
You must be logged in to reply to this topic.