Re: Trojan? DDOS Bot?

From: Richman, Samuel (Samuel.Richman@nhtsa.dot.gov)
Date: 08/27/02


Date: 27 Aug 2002 14:12:20 -0400
From: "Richman, Samuel <NHTSA>" <Samuel.Richman@nhtsa.dot.gov>
To: incidents@securityfocus.com (IPM Return requested) (Receipt notification requested), Janus@etoast.com (IPM Return requested) (Receipt notification requested)

Take it off the network, wipe the box, and start over. This time, with a fire
wall :). Unless you have tripwired the machine, who knows where the listener
could be spawning from...

Samuel Richman
Data Center Unix Support
NHTSA Research and Development
US DOT Rm 2403
Phone: 202-366-6218
Fax: 202-366-3986

>>> Janus@etoast.com 08/27/02 02:04PM >>>

I recogniced some weird connections from my box (w98)
to other computers. As soon as i connect to the
internet a connection from local port 1026 to port 6667
on 65.185.135.125 was established. I connected to that
server and it is an irc server (MusIRC Internet Relay
Chat Network). I found a bot using my adress with a
random name made up of letters. The server
administrator told me that he has recognized these bots
coming from many different hosts for quite ome time
now. They all try to join a channel named #nutz on that
server. He has seen people giving commands to those
bots so he closed down the channel. They give a msg
after kicked "Fuck you <name of the person that has
kicked them>. To version request they reply with
something like that too. I checked for open ports on my
box and found 113 open. A few days ago i deleted a
net-devil v.1.4 from my system. Not sure if that has
anything to do with that. After installing a freeware
firewall to see what it will do if i blocked its
outgoing port and deleting it afterwards it just
changed the outgoing port. As i am typing this a
netstat -an reveals

TCP 0.0.0.0:1301 0.0.0.0:0
LISTENING
  TCP 0.0.0.0:1705 0.0.0.0:0
LISTENING
  TCP 127.0.0.1:1027 0.0.0.0:0
LISTENING
  TCP 127.0.0.1:1704 0.0.0.0:0
LISTENING
  TCP 127.0.0.1:1704 127.0.0.1:1705
ESTABLISHED
  TCP 127.0.0.1:1705 127.0.0.1:1704
ESTABLISHED
  TCP 217.84.185.171:1301 65.185.135.125:6667
ESTABLISHED
  UDP 127.0.0.1:1027 *:*

I couldnt find a freeware tool to find out which
process is using this specific irc connection, nor did
a scan with f-prot or housecall or panda reveal any
viral or trojan activity.

Any help or info would be really appreciated. Thanks in
advance

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                               

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com