RE: I think I've been hacked...please help!

From: Pepijn Vissers (vissers@fox-it.com)
Date: 04/09/02 

From: Pepijn Vissers <vissers@fox-it.com>
To: "'Arnold, Jamie'" <harnold@binghamton.edu>
Date: Tue, 9 Apr 2002 13:39:31 +0200

Hi Jamie,

./I have several machines that are using excessive bandwidth. Upon
./inspection, I find multiple connections to servers with names like
./irc.badguuy.com, etc... On 6667.

Well, my first guess is that your machines are
used for a dDoS, controlled through (modified) eggdrops and
the irc-servers. Did you run a tcpdump to see which channel(s) they
join and with what key? You could use an 'anonimized' machine which
does not lead back to your official network and join the chan, pose
as an eggdrop and do some research. Just wait until you get queried
with commands :)

./Incoming connections are random although 1067 seems to be a common one.
./I have 4 instances of cmd.exe running and 2
./of win.exe While it looks like Egghead, the reg entries
./aren't there nor the directories/files.

Maybe they pose as other programs. You could try to use some tools
from sysinternals (www.sysinternals.com) or so to examine which program
is using the socket that is connected to the irc-server.

./What is confusing to me is that one of them uses our Exchange server which
is protected by
./Antigen (and I pull nearly every extension known to man) and
./McAffee on the desktop. I can't find anything that matches this. Anyone
./have any insight?

Not sure. Maybe they don't see eggdrops as a threat / trojan.
They were in the first place surely never written to be any of those.
Maybe the characteristics of the used programs do not match the definitions
because they are slightly modified. There are serveral ways to circumvent
virusscanners.

Good luck,
P. Vissers

./Thanks
./
./J
./
./--------------------------------------------------------------
./--------------
./This list is provided by the SecurityFocus ARIS analyzer service.
./For more information on this free incident handling, management
./and tracking system please see: http://aris.securityfocus.com
./

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Outbound TCP issue, potentially related to FreeBSD-SA-05:08.kmem [REVISED]
    ... separate FreeBSD machine. ... Outbound TCP connections are randomly failing to connect. ... It only impacts outgoing connections from our web servers - no ... finding that the failures were not port-specific, ...
    (freebsd-net)
  • Re: [help] 1 cpu to rule them all
    ... >> configuration and maintenance in one place is a lot more economical than ... it isn't the price of the hardware that makes it ... > You can make things easier by having lots of machines that are virtually ... > directories) on servers. ...
    (comp.os.linux.hardware)
  • Re: Creating and AD domain
    ... > None of these machines are reachable from the internet, ... > access the internet, using existing DHCP and DNS servers. ... > As of now, I've got a domain created, the domain controller is up and has ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to access I/O port directly in VC6.0?
    ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ...
    (microsoft.public.vc.mfc)
  • Re: Web Services DNS Round Robin
    ... w/ a LB machine inbetwen holding the single IP w/ several machines behind ... or later, as a DNS server. ... Suppose you have 50 identical www.heaven.af.mil web servers running on IP ...
    (microsoft.public.dotnet.languages.csharp)