Re: Trojan? DDOS Bot?

From: Richman, Samuel (Samuel.Richman@nhtsa.dot.gov)
Date: 08/27/02


Date: 27 Aug 2002 14:12:20 -0400
From: "Richman, Samuel <NHTSA>" <Samuel.Richman@nhtsa.dot.gov>
To: incidents@securityfocus.com (IPM Return requested) (Receipt notification requested), Janus@etoast.com (IPM Return requested) (Receipt notification requested)

Take it off the network, wipe the box, and start over. This time, with a fire
wall :). Unless you have tripwired the machine, who knows where the listener
could be spawning from...

Samuel Richman
Data Center Unix Support
NHTSA Research and Development
US DOT Rm 2403
Phone: 202-366-6218
Fax: 202-366-3986

>>> Janus@etoast.com 08/27/02 02:04PM >>>

I recogniced some weird connections from my box (w98)
to other computers. As soon as i connect to the
internet a connection from local port 1026 to port 6667
on 65.185.135.125 was established. I connected to that
server and it is an irc server (MusIRC Internet Relay
Chat Network). I found a bot using my adress with a
random name made up of letters. The server
administrator told me that he has recognized these bots
coming from many different hosts for quite ome time
now. They all try to join a channel named #nutz on that
server. He has seen people giving commands to those
bots so he closed down the channel. They give a msg
after kicked "Fuck you <name of the person that has
kicked them>. To version request they reply with
something like that too. I checked for open ports on my
box and found 113 open. A few days ago i deleted a
net-devil v.1.4 from my system. Not sure if that has
anything to do with that. After installing a freeware
firewall to see what it will do if i blocked its
outgoing port and deleting it afterwards it just
changed the outgoing port. As i am typing this a
netstat -an reveals

TCP 0.0.0.0:1301 0.0.0.0:0
LISTENING
  TCP 0.0.0.0:1705 0.0.0.0:0
LISTENING
  TCP 127.0.0.1:1027 0.0.0.0:0
LISTENING
  TCP 127.0.0.1:1704 0.0.0.0:0
LISTENING
  TCP 127.0.0.1:1704 127.0.0.1:1705
ESTABLISHED
  TCP 127.0.0.1:1705 127.0.0.1:1704
ESTABLISHED
  TCP 217.84.185.171:1301 65.185.135.125:6667
ESTABLISHED
  UDP 127.0.0.1:1027 *:*

I couldnt find a freeware tool to find out which
process is using this specific irc connection, nor did
a scan with f-prot or housecall or panda reveal any
viral or trojan activity.

Any help or info would be really appreciated. Thanks in
advance

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                               

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing POP3 email missing/lost/not received
    ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • RE: Problems with Permissions
    ... And SBS server is only take ... the role of an internal server. ... they are all configured to connected to internal network. ... g. Run the Configure Email and Internet Connection Wizard on SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)