Should I be worried? CandC server

This topic contains 9 replies, has 5 voices, and was last updated by  dynamik 6 years, 11 months ago.

  • Author
    Posts
  • #8076
     t3st 
    Participant

    Hi there,
    I have scanned the wi-fi in my workplace and have come across this connection:
    CandC (00:**:7f:**:d6:**)
    [WPS ESS]
    [WPA-PSK-TKIP]
    Ch 6 2437mhz

    I have googled CandC server and worryingly came across this:
    “A botnet’s originator (known as a “bot herder” or “bot master”) can control the group remotely, usually through an IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server.”
    So is this CandC server I have found something to worry about?
    Please can you advise if there are innocent CandC servers or always related to botnets?
    Thanks for your time,

  • #51183
     hayabusa 
    Participant

    Without more information, I would have a hard time telling you that THIS particular machine you’ve listed is a C and C botnet controller / host, or simply a machine going by that name.  I fact, I have my doubts that it is, at least, solely from the information you’ve given us, thus far.  A name, alone, means little.

    That said…

    What tool did you use to ‘scan’ the wireless?  Where did you come by the name, “CandC”?  Can you, at least, give us the first set of MAC address numbers that you left out (between the 00 and 7F) so that we can see who makes the adapter (assuming it’s MAC wasn’t altered)?  What ports does it have open, etc?  We have VERY little information, here, to even begin to tell you anything about this box.

    Let’s assume, for instance, that it IS a C and C botnet box.  I’d be hard pressed to think the code would ‘advertise’ itself as C and C, as usually, they wouldn’t want to be detected.  It’s more likely just a chosen name that someone gave this box.  What I’d recommend / propose, is that you take the hostname and IP address, give it to IS&T (unless that’s you), at your workplace, and let them find said machine and investigate it.  If your work has wifi, then it would be assumed that someone there would be capable of locating the box in question.  If not, I think it’s time they contract someone who can.

  • #51184
     rattis 
    Participant

    I wonder if someone named it CandC, meaning CNC.

  • #51185
     hayabusa 
    Participant

    Honestly wondered the same, but as there’s been no further reply / info given…

  • #51186
     t3st 
    Participant

    Hi there, thank you for your replies.

    I didn’t want to put down to much information, as if it was innocent, I would be posting details of an actual server on a public forum. I am in the “recon” stage of my learning and have been reading about how network admins make the mistake of doing this, so I was careful not to do the same.
    I was using an android app called wi-fi analyser, but the CandC doesn’t appear on another app called Network discovery (that brings up so many ip add’s of computers, servers and mobile phones).

    I have notfied our DBA.

  • #51187
     hayabusa 
    Participant

    OK.  Well, if further info comes up, or more specific questions arise, we’ll see what help we can provide, at that time.

  • #51188
     t3st 
    Participant

    Thanks Hayabusa

    rgds

  • #51189
     RoleReversal 
    Participant

    t3st,

    assuming by wifi analyser you mean the wireless tool by Farpoc?

    I use the same tool, as it’s essentially a wireless spectrum analyser similar to aircrack/kismet/etc, My guess is CandC is merely a SSID of a neighbouring AP and (hopefully) not a direct threat to your environment.

  • #51190
     rattis 
    Participant

    I’m using the one by Farpoc, but other than finding access points, I haven’t noticed it doing some of the same things of air crack or Kisment. Those don’t just show the access points, but end points too.

    The nice thing about Wifi Analyser, it helps you find the least congested channel.

  • #51191
     dynamik 
    Participant

    Maybe it’s for multiplayer Command and Conquer games.

    Legitimate attackers would probably be more discreet. I’m personally more suspicious of “Free WiFi” SSIDs 😉

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?