Re: Trojan? DDOS Bot?

From: Will Tell (nosphie@rootshell.be)
Date: 08/27/02


Date: 27 Aug 2002 19:31:19 -0000
From: Will Tell <nosphie@rootshell.be>
To: incidents@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <20020827082232.885.qmail@mail.securityfocus.com>

Hey,
seems if hacking boxes and letting bots there is a new
sport.
http://www.honeynet.ch/reports/openbsd.php
Here are some hacker talking about their bot on all the
hacked boxes. (the long irc dialog)
This is on open-bsd but i think same happens on windows.
They break in and install a bot and a rootkit...so do
not trust your box. It seems compromized.

Will Tell

>From: <Janus@etoast.com>
>To: incidents@securityfocus.com
>Subject: Trojan? DDOS Bot?
>
>
>
>I recogniced some weird connections from my box (w98)
>to other computers. As soon as i connect to the
>internet a connection from local port 1026 to port 6667
>on 65.185.135.125 was established. I connected to that
>server and it is an irc server (MusIRC Internet Relay
>Chat Network). I found a bot using my adress with a
>random name made up of letters. The server
>administrator told me that he has recognized these bots
>coming from many different hosts for quite ome time
>now. They all try to join a channel named #nutz on that
>server. He has seen people giving commands to those
>bots so he closed down the channel. They give a msg
>after kicked "Fuck you <name of the person that has
>kicked them>. To version request they reply with
>something like that too. I checked for open ports on my
>box and found 113 open. A few days ago i deleted a
>net-devil v.1.4 from my system. Not sure if that has
>anything to do with that. After installing a freeware
>firewall to see what it will do if i blocked its
>outgoing port and deleting it afterwards it just
>changed the outgoing port. As i am typing this a
>netstat -an reveals
>
>TCP 0.0.0.0:1301 0.0.0.0:0
>LISTENING
> TCP 0.0.0.0:1705 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1027 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1704 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1704 127.0.0.1:1705
>ESTABLISHED
> TCP 127.0.0.1:1705 127.0.0.1:1704
>ESTABLISHED
> TCP 217.84.185.171:1301 65.185.135.125:6667
>ESTABLISHED
> UDP 127.0.0.1:1027 *:*
>
>
>I couldnt find a freeware tool to find out which
>process is using this specific irc connection, nor did
>a scan with f-prot or housecall or panda reveal any
>viral or trojan activity.
>
>Any help or info would be really appreciated. Thanks in
>advance
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS
analyzer service.
>For more information on this free incident handling,
management
>and tracking system please see:
http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: [Full-disclosure] one of my servers has been compromized
    ... The bot files can usually be found by running these one line ... *netstat looking for connections to remote port 6667 or the ... when resolving server names to IP Addresses ... Deleted them, looked up remote connections with netstat, killed perl ...
    (Full-Disclosure)
  • Re: NKADM rootkit - Something new?
    ... # Un-comment the next line and set the list of owners of the bot. ... This will give you the name of the person who admins the bot hosted on your machine. ... SERVER MODULE ... # set a password you must also set a port. ...
    (Incidents)
  • RE: Trojan? DDOS Bot?
    ... DDOS Bot? ... internet a connection from local port 1026 to port 6667 ... server and it is an irc server (MusIRC Internet Relay ... For more information on this free incident handling, ...
    (Incidents)
  • Re: SSH hacked?
    ... get close to a valid username. ... If I thought moving sshd off port 22 would reduce the chances of a bot ... I bet that is sad with your machine but on the other hand, ...
    (Ubuntu)
  • Re: SSH hacked?
    ... other bot machines. ... get close to a valid username. ... If I thought moving sshd off port 22 would reduce the chances of a bot ...
    (Ubuntu)