Re: Trojan? DDOS Bot?

From: Michael J McCafferty (mike@m5computersecurity.com)
Date: 08/27/02 

Date: Tue, 27 Aug 2002 11:31:31 -0700
To: <Janus@etoast.com>, incidents@securityfocus.com
From: Michael J McCafferty <mike@m5computersecurity.com>

Janus,

To find the process on your windows box, try using "fport" Available at
Foundstone's web site. It is similar to "lsof" for *nix boxes.
http://www.foundstone.com/knowledge/proddesc/fport.html

Once you find it, you should try to identify it and look it up to remove
any other files associated with the infection.

Good Luck,
Mike

At 08:22 AM 8/27/2002 +0000, Janus@etoast.com wrote:

>I recogniced some weird connections from my box (w98)
>to other computers. As soon as i connect to the
>internet a connection from local port 1026 to port 6667
>on 65.185.135.125 was established. I connected to that
>server and it is an irc server (MusIRC Internet Relay
>Chat Network). I found a bot using my adress with a
>random name made up of letters. The server
>administrator told me that he has recognized these bots
>coming from many different hosts for quite ome time
>now. They all try to join a channel named #nutz on that
>server. He has seen people giving commands to those
>bots so he closed down the channel. They give a msg
>after kicked "*** you <name of the person that has
>kicked them>. To version request they reply with
>something like that too. I checked for open ports on my
>box and found 113 open. A few days ago i deleted a
>net-devil v.1.4 from my system. Not sure if that has
>anything to do with that. After installing a freeware
>firewall to see what it will do if i blocked its
>outgoing port and deleting it afterwards it just
>changed the outgoing port. As i am typing this a
>netstat -an reveals
>
>TCP 0.0.0.0:1301 0.0.0.0:0
>LISTENING
> TCP 0.0.0.0:1705 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1027 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1704 0.0.0.0:0
>LISTENING
> TCP 127.0.0.1:1704 127.0.0.1:1705
>ESTABLISHED
> TCP 127.0.0.1:1705 127.0.0.1:1704
>ESTABLISHED
> TCP 217.84.185.171:1301 65.185.135.125:6667
>ESTABLISHED
> UDP 127.0.0.1:1027 *:*
>
>
>I couldnt find a freeware tool to find out which
>process is using this specific irc connection, nor did
>a scan with f-prot or housecall or panda reveal any
>viral or trojan activity.
>
>Any help or info would be really appreciated. Thanks in
>advance
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

**************************************************
Michael J. McCafferty
M5 Computer Security
858-576-7325 Voice
PGP Key ID: 0x2206347F
http://www.m5computersecurity.com
**************************************************
--- "If you build it, they will hack !" ---

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Quantcast