Re: Trojan? DDOS Bot?

From: Will Tell (nosphie@rootshell.be)
Date: 08/27/02


Date: 27 Aug 2002 19:31:19 -0000
From: Will Tell <nosphie@rootshell.be>
To: incidents@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <20020827082232.885.qmail@mail.securityfocus.com>

Hey,
seems if hacking boxes and letting bots there is a new
sport.
http://www.honeynet.ch/reports/openbsd.php
Here are some hacker talking about their bot on all the
hacked boxes. (the long irc dialog)
This is on open-bsd but i think same happens on windows.
They break in and install a bot and a rootkit...so do
not trust your box. It seems compromized.

Will Tell

>From: <Janus@etoast.com>
>To: incidents@securityfocus.com
>Subject: Trojan? DDOS Bot?
>
>
>
>I recogniced some weird connections from my box (w98)
>to other computers. As soon as i connect to the
>internet a connection from local port 1026 to port 6667
>on 65.185.135.125 was established. I connected to that
>server and it is an irc server (MusIRC Internet Relay
>Chat Network). I found a bot using my adress with a
>random name made up of letters. The server
>administrator told me that he has recognized these bots
>coming from many different hosts for quite ome time
>now. They all try to join a channel named #nutz on that
>server. He has seen people giving commands to those
>bots so he closed down the channel. They give a msg
>after kicked "Fuck you <name of the person that has
>kicked them>. To version request they reply with
>something like that too. I checked for open ports on my
>box and found 113 open. A few days ago i deleted a
>net-devil v.1.4 from my system. Not sure if that has
>anything to do with that. After installing a freeware
>firewall to see what it will do if i blocked its
>outgoing port and deleting it afterwards it just
>changed the outgoing port. As i am typing this a
>netstat -an reveals
>
>TCP 0.0.0.0:1301 0.0.0.0:0
>LISTENING
> TCP 0.0.0.0:1705 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1027 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1704 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1704 127.0.0.1:1705
>ESTABLISHED
> TCP 127.0.0.1:1705 127.0.0.1:1704
>ESTABLISHED
> TCP 217.84.185.171:1301 65.185.135.125:6667
>ESTABLISHED
> UDP 127.0.0.1:1027 *:*
>
>
>I couldnt find a freeware tool to find out which
>process is using this specific irc connection, nor did
>a scan with f-prot or housecall or panda reveal any
>viral or trojan activity.
>
>Any help or info would be really appreciated. Thanks in
>advance
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS
analyzer service.
>For more information on this free incident handling,
management
>and tracking system please see:
http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com