Re: Trojan? DDOS Bot?
From: Mike Parkin (mparkin@cisco.com)Date: 08/27/02
- Previous message: pj@esec.dk: "Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid"
- In reply to: Janus@etoast.com: "Trojan? DDOS Bot?"
- Next in thread: Christopher Cramer: "Re: Trojan? DDOS Bot?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Aug 2002 11:56:53 -0700 (PDT) From: Mike Parkin <mparkin@cisco.com> To: Janus@etoast.com
You appear to have been infected with one of a variety of Trojans - like
BO, NetBus, Sub7, etc. Can't tell from the ports you show, since many of
the trojans are configurable for responses, U@H values when connecting to
IRC, listening ports, etc.
I've seen that same thing from the IRCAdmin side of the equation many
times. We used to set up in the "target" channel and wait for the organic
to show up and claim it's bots. Unfortunately, even when we'd dealt with
him, we'd often see stragglers from his botnet for weeks to come.
Advice - get some scanning software appropriate for your OS (Sorry, no
recommendation - I'm an *IX guy) and find the trojan.
Mike Parkin
Cisco Systems, Inc.
Information Security
SysAdmin/NetAdmin
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: pj@esec.dk: "Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid"
- In reply to: Janus@etoast.com: "Trojan? DDOS Bot?"
- Next in thread: Christopher Cramer: "Re: Trojan? DDOS Bot?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
