Musical irc bot backdoor?

From: Eric Appelboom (eric_at_mweb.com)
Date: 08/06/03

  • Next message: Lee Seidman: "Backdoor.Trojan and payload.dat"
    Date: Wed, 6 Aug 2003 18:08:45 +0200
    To: <incidents@securityfocus.com>
    
    

    Has anyone seen traffic of a new? irc bot talking on tcp 2234...
    I have already found 2 hosts on our private network infected, both fully
    patched(besides IE)

    Try do a tcpdump on tcp 2234 and see if anyone else is seeo=ing this.

    It wasnt picked up buy trend officescan, or webmanger(http) or
    mailmarshall.

    Seems like a p2p type of irc botnet who always contact each other, all
    appearing to be irc servers,
    but use band names for nicks seemingly replicating the nicks to each
    other...

    Suspect it is rather new but the number of infected hosts appears huge
    as I saw one of our firewalls
    Working quite hard dropping the packets.

    The only way I can see it propergating is via http (iexplorer vuln)

    Cheers
    Eric

    T x.x.x.146:2234 -> x.x.x.159:2452 [AP]
      1....1.......dr.zoooidberg+.......propellerheads
    .mpg.....1.......xtc2........franzine!....1.......abc47KZ......GTB
    Entropy'....1.......LazyWHC4.......E-Town Concrete.....1.
      ......joseluis100@............1.......lets jump now@.......minnie
    ripington.....1.......basil<.......C'est Pas Moi C'est Lui
    /....1.......solano2.8......stereophonics you go
      tta-....1.......precorain........ATE Sometihing
    Real.....1.......noortekas.............1.......ewor........chillout$....
    1.......zafetX.......Take My Heart D....1.......sNoei
      pOes....*...earth & fire song of the marching
    children-....1.......nsrnicekq-......kelly ignition
    remix$....1.......upiau........cavalo
    marinho5....1.......Intransit=.......
      queens of the stone age csr!....1.......franek.+......bill&
    tony0....1.......Conspiracy8........army of the
    pharaohs"....1.......jonessskjhda........edyta1....1.......Skoorp
      as........Superchumbo This Beat Is"....1.......kadotch#.......ABC
    sports,....1.......jp_steed........DAVID BOWIE
    REALITY&....1.......Muchacha&.......cesaria evora!....1.....
      ..mdr shay........no doubt@....1.......tergopaul....&...contemporary
    punk unit can you compute*....1.......all-vox-man........johnny
    kontrol4....1.......Crag 1985b.......it'
      s a beautiful day today'....1.......chuckonpointG.......kinks
    lola-....1.......badest.s......louie austen easy
    love+....1.......fabrizio.dp`.......do

    T x.x.217.31:2234 -> x.x.164:2006 [AR]
      Go away, we're not home

    T x.x.x.164:1983 -> x.x.x.131:2240 [AP]
      .........4......someoneoutthere

     (....1.......jjaazzzz.$......ivy -
    realistic1....1.......MiguelPL........STAWKA WI.KSZA NI.
    .YCIE.....1.......djsunyC.......geylang'....1.......Linute?.......Marcia
    Griffith
      s.....1.......locke1978........mana ....1.......Zoiding.e......u
    reckon2....1.......xiaolingS.......Another Day Another
    Drone2....1.......DaNi23........amistad - chill out a
      mbient*....1.......Mike Stone........city-Am
    fenster$....1.......irq506........basic
    channel1....1.......jim_jam........terry riley you're
    nogood.....1.......awalid7.......d
      sny.....1.......loroboro4.......Moloko)....1.......velox.
    ......Afro-Indian Project'....1.......Garglebee%E......big joe
    krash3....1.......teotetoereC.......psichic warriors
       of gaia,....1.......drpillx.......pavement slow
    century%....1.......Gorabilbo........epica
    ghost9....1.......svidurr....!...zecharia sitchin earth
    chronicles'....1.......Q-
      Ok".......se.monto.la.gorda.%....1.......no_joel3.......susana
    spears$....1.......djsfd........belle
    lawrence!....1.......aquagak4.......Phonecia .....1.......couture.......
      .ms0....1.......ghitaar........amazing flying
    orchestra)....1.......Grave-Architect;.......supernova$....1.......regre
    gregw.......noir desir.....1.......BelzebubeNRW*.......
      .....1.......squowse........'....1.......mgriggs7`.......radiohead
    live.....1.......zyph........jim st.rk'....1.......monkey
    magic........jeff mills/

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Lee Seidman: "Backdoor.Trojan and payload.dat"

    Relevant Pages

    • Fwd: Possible DDOS network being built through ssh1 crc compromised hosts
      ... folks have been affected by this attack. ... When I found this particular irc net ... there were over 120 hosts all communicating via IRC. ... Hope this helps other folks who will or have already encountered this ...
      (Bugtraq)
    • Re: [Full-Disclosure] Scan for IRC
      ... from what i know normally irc runs on tcp 6667 ... assides of that irc can be on any port, so id try to rather block the central ...
      (Full-Disclosure)
    • (no subject)
      ... What is the minimum set of ports required to use irc? ... On attempting to connect to irc, various of my firewall rules get triggered, including TCP to 113, 6666, and a host of others. ...
      (comp.security.firewalls)