Musical irc bot backdoor?

From: Eric Appelboom (eric_at_mweb.com)
Date: 08/06/03

Next message: Lee Seidman: "Backdoor.Trojan and payload.dat"

Previous message: kevingeo_at_gmx.de: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: David Vincent: "RE: Musical irc bot backdoor?"
Maybe reply: David Vincent: "RE: Musical irc bot backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 6 Aug 2003 18:08:45 +0200
To: <incidents@securityfocus.com>

Has anyone seen traffic of a new? irc bot talking on tcp 2234...
I have already found 2 hosts on our private network infected, both fully
patched(besides IE)

Try do a tcpdump on tcp 2234 and see if anyone else is seeo=ing this.

It wasnt picked up buy trend officescan, or webmanger(http) or
mailmarshall.

Seems like a p2p type of irc botnet who always contact each other, all
appearing to be irc servers,
but use band names for nicks seemingly replicating the nicks to each
other...

Suspect it is rather new but the number of infected hosts appears huge
as I saw one of our firewalls
Working quite hard dropping the packets.

The only way I can see it propergating is via http (iexplorer vuln)

Cheers
Eric

T x.x.x.146:2234 -> x.x.x.159:2452 [AP]
  1....1.......dr.zoooidberg+.......propellerheads
.mpg.....1.......xtc2........franzine!....1.......abc47KZ......GTB
Entropy'....1.......LazyWHC4.......E-Town Concrete.....1.
  ......joseluis100@............1.......lets jump now@.......minnie
ripington.....1.......basil<.......C'est Pas Moi C'est Lui
/....1.......solano2.8......stereophonics you go
  tta-....1.......precorain........ATE Sometihing
Real.....1.......noortekas.............1.......ewor........chillout$....
1.......zafetX.......Take My Heart D....1.......sNoei
  pOes....*...earth & fire song of the marching
children-....1.......nsrnicekq-......kelly ignition
remix$....1.......upiau........cavalo
marinho5....1.......Intransit=.......
  queens of the stone age csr!....1.......franek.+......bill&
tony0....1.......Conspiracy8........army of the
pharaohs"....1.......jonessskjhda........edyta1....1.......Skoorp
  as........Superchumbo This Beat Is"....1.......kadotch#.......ABC
sports,....1.......jp_steed........DAVID BOWIE
REALITY&....1.......Muchacha&.......cesaria evora!....1.....
  ..mdr shay........no doubt@....1.......tergopaul....&...contemporary
punk unit can you compute*....1.......all-vox-man........johnny
kontrol4....1.......Crag 1985b.......it'
  s a beautiful day today'....1.......chuckonpointG.......kinks
lola-....1.......badest.s......louie austen easy
love+....1.......fabrizio.dp`.......do

T x.x.217.31:2234 -> x.x.164:2006 [AR]
Go away, we're not home

T x.x.x.164:1983 -> x.x.x.131:2240 [AP]
.........4......someoneoutthere

(....1.......jjaazzzz.$......ivy -
realistic1....1.......MiguelPL........STAWKA WI.KSZA NI.
.YCIE.....1.......djsunyC.......geylang'....1.......Linute?.......Marcia
Griffith
  s.....1.......locke1978........mana ....1.......Zoiding.e......u
reckon2....1.......xiaolingS.......Another Day Another
Drone2....1.......DaNi23........amistad - chill out a
  mbient*....1.......Mike Stone........city-Am
fenster$....1.......irq506........basic
channel1....1.......jim_jam........terry riley you're
nogood.....1.......awalid7.......d
  sny.....1.......loroboro4.......Moloko)....1.......velox.
......Afro-Indian Project'....1.......Garglebee%E......big joe
krash3....1.......teotetoereC.......psichic warriors
   of gaia,....1.......drpillx.......pavement slow
century%....1.......Gorabilbo........epica
ghost9....1.......svidurr....!...zecharia sitchin earth
chronicles'....1.......Q-
  Ok".......se.monto.la.gorda.%....1.......no_joel3.......susana
spears$....1.......djsfd........belle
lawrence!....1.......aquagak4.......Phonecia .....1.......couture.......
  .ms0....1.......ghitaar........amazing flying
orchestra)....1.......Grave-Architect;.......supernova$....1.......regre
gregw.......noir desir.....1.......BelzebubeNRW*.......
  .....1.......squowse........'....1.......mgriggs7`.......radiohead
live.....1.......zyph........jim st.rk'....1.......monkey
magic........jeff mills/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Lee Seidman: "Backdoor.Trojan and payload.dat"

Previous message: kevingeo_at_gmx.de: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Next in thread: David Vincent: "RE: Musical irc bot backdoor?"
Maybe reply: David Vincent: "RE: Musical irc bot backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Fwd: Possible DDOS network being built through ssh1 crc compromised hosts
... folks have been affected by this attack. ... When I found this particular irc net ... there were over 120 hosts all communicating via IRC. ... Hope this helps other folks who will or have already encountered this ...
(Bugtraq)
Re: [Full-Disclosure] Scan for IRC
... from what i know normally irc runs on tcp 6667 ... assides of that irc can be on any port, so id try to rather block the central ...
(Full-Disclosure)
(no subject)
... What is the minimum set of ports required to use irc? ... On attempting to connect to irc, various of my firewall rules get triggered, including TCP to 113, 6666, and a host of others. ...
(comp.security.firewalls)