Bugtraq mailing list archives
Re: Internet Wide DOS Attack using IRC
From: root () LOCKDOWN NET (Kameron Gasso)
Date: Fri, 2 Oct 1998 15:55:18 +0000
This might be an unreleased Back Orifice plugin from an internet user who dislikes GeoCities (only speculation). Odds are, it was distributed widely over IRC in a Warez package or something similar.
The complete content of the 5845 directory was: nfo.zip, nfo.jpg, servers.zip, servers.jpg, users.zip and users.jpg. When I looked at the binary files by doing a cat, the users jpg & zip files were the same, but the other files were all unique.
From the names of those files, I'd guess that's a warez pup's account.
Then again, who knows.
We did find an entry in his registry with the following setting: /microsoft/windowsexplorer/doc/find/spec/mru a) " " b) 5845 c) nfo d) bo e) nfo.zip f) winrar g) msvbvm60.dll h) loadwc i) stargate j) area51 mrulist) eadcbjihgf
What's the full name of that registry key? The file msvbvm60.dll looks like a Visual BASIC runtime library, possibly a Back Orifice plugin of some sort.
I also asked our ISP to help track some of this and this was their result. "All the IP's I've scanned so far from the log have several UDP ports open in the 31337 range (what Back Orifice uses)."
This is also why I think it may be a BO plugin. Unfortunately, these users have no idea they're helping attack a server, and probably wouldn't suspect a thing.
So, we really need to find the source instead of asking everyone to reinstall their OS. It might also be necessary to inform the various virus-detection software vendors to try to eradicate this from all of the machines that currently have it installed.
If it's Back Orifice, some virus scanners will already pick it up. This still doesn't solve the problem of the plugin, which can be stored in any file type, text, dll, or binary. If you do find what it is, please let me know, as I myself am curious. Thank you. Sincerely, Kameron Gasso Direct legitimate replies to krg () lockdown net - Flames, spams, etc. will be handled by the little green monster named /dev/null I keep locked away in my dungeon.
Current thread:
- IE4 Custom Folder Marc (Oct 01)
- Re: IE4 Custom Folder listuser () MAIL SEIFRIED ORG (Oct 01)
- Re: IE4 Custom Folder David LeBlanc (Oct 02)
- Several potential security problems in IBM/Tivoli OPC Tracker Age Klaus.Kusche () OOE GV AT (Oct 02)
- Announcements from The Palace (fwd) Mike Holling (Oct 02)
- Re: IE4 Custom Folder Christopher K Davis (Oct 02)
- Internet Wide DOS Attack using IRC dbarba (Oct 02)
- Re: Internet Wide DOS Attack using IRC Kameron Gasso (Oct 02)
- Re: Internet Wide DOS Attack using IRC [deicide] (Oct 02)
- Re: Internet Wide DOS Attack using IRC Bencsath Boldizsar (Oct 02)
- Re: IE4 Custom Folder listuser () MAIL SEIFRIED ORG (Oct 01)
- CERT: IN-98.04 Darren Reed (Oct 01)