Re: Trojan? DDOS Bot?

From: Dragos Ruiu (dr@kyx.net)
Date: 08/27/02 

From: Dragos Ruiu <dr@kyx.net>
To: <Janus@etoast.com>, incidents@securityfocus.com
Date: Tue, 27 Aug 2002 11:39:44 +0000

On August 27, 2002 08:22 am, Janus@etoast.com wrote:
> I recogniced some weird connections from my box (w98)
> to other computers. As soon as i connect to the
> internet a connection from local port 1026 to port 6667
> on 65.185.135.125 was established. I connected to that
> server and it is an irc server (MusIRC Internet Relay
> Chat Network). I found a bot using my adress with a
> random name made up of letters.

0wn4g3 details ommitted...

> I couldnt find a freeware tool to find out which
> process is using this specific irc connection, nor did
> a scan with f-prot or housecall or panda reveal any
> viral or trojan activity.
>
> Any help or info would be really appreciated. Thanks in
> advance
>

lsof will be your friend on unixes:-)
(LS Open Files)

For MS products as I assume you are using
from the MIRC usage, check out the excellent tools
the folks at www.sysinternals.com put out.
(My thanks to them if they are reading
for they are truly useful to me...)

There was another lsof like tool for windows
called "inzider" you might want to look at too...

cheers,
--dr 

-- 
dr@kyx.net   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages