Re: IRC bot?

From: Nicolas Gregoire (ngregoire_at_exaprobe.com)
Date: 09/16/03

  • Next message: morning_wood: "Re: NAT.EXE Exceptions" 
    To: pen-test@securityfocus.com
Date: 16 Sep 2003 09:21:47 +0200

    On Tue, 2003-09-16 at 05:33, Bryan Miller wrote:
    > During a pen test yesterday I came across TCP port 6501. Upon
    > connecting to it via Netcat, I received the following screen:
    >
    > 220-W4A BotServ 2.0
    > 220-==============================================
    > 220-You are Connecting From x.x.x.x
    > [...]
    > 220-Total Kb downloaded: 0 Kb
    > 220-Total Kb uploaded: 0 Kb
    > 220-Amout of Files downloaded: 0
    > [..]
    >
    > Has anyone seen this before? Am I correct in assuming it's some form
    > of IRC bot? If so, how do I talk to it to verify? Does it have some
    > interesting uses?

    It's a "stro". This also known as a "private warez server".

    I sometimes found them on some big bandwith compromised boxes. Warn your
    customer and try to give a closer look to this box. Beware of Win32
    rootkits, they could hide processes and network connections to "local"
    tools (netstat, ...) and are often used on stros.

    Regards, 

    -- 
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for  21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
  • Next message: morning_wood: "Re: NAT.EXE Exceptions"