Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Internet Wide DOS Attack using IRC

From: dbarba () GEOCITIES COM (dbarba)
Date: Fri, 2 Oct 1998 14:38:04 -0700

   Please forward this on to the appropriate people if necessary.

   GeoCities is currently experiencing a DOS attack that appears to be
   spread by a trojan horse in a mIRC script.

   GeoCities is receiving thousands of HTTP requests from thousands of
   unique computers daily for a file that no longer exists on our
servers.
   The specific count for one minute on Friday, September 25 at 10:17 am

    was 3,522 hits,

   1,492 of them were from unique IP's.  For the time period of 3 am to
10:17am
    on 9/25  we had 3,562 unique IPs request this one file.  It does not
appear to be
   specifically requested by the user of that computer.  This request
uses
   no browser and is usually requesting the file every 30 seconds while
the
   user is connected to the Internet.  The requests are coming from
around
   the world and have been slowly building up since at least August 18,
   1998 (the farthest back our access logs go).

   The attack is requesting a file from our site:

     http://www.geocities.com/Area51/Stargate/5845/nfo.zip

   The complete content of the 5845 directory was:  nfo.zip, nfo.jpg,
    servers.zip, servers.jpg, users.zip and users.jpg.  When I looked at
the
    binary files by doing a cat, the users jpg & zip files were the
same, but the
    other files were all unique.

   It does not use a browser or store cookies.  At the moment, the file
being
   requested is of zero size.  When there is a file of size , originally
it was 8k
   and I later inserted a short note to contact me regarding the attack
into the
   nfo.zip file,  at which time the attack becomes much worse on the
Windows
    machines that are requesting the file.

   Also, an odd note, there are a couple machines that are requesting
the file named
   nfo.jpg.  Those are reqeusted every minute instead of every 30
seconds.

   I have contacted a user that complained about GeoCities attacking
him.
   In reality, his computer was asking for the nfo.zip file from us
every
   30 seconds, and that was flooding his connection to the internet.  I
   have worked with him closely since he found the problem.  He only
uses
   IRC.  In fact, the first time he visited our website is after the
attack
   started, when he was looking for a contact name and number.  He does
not
   surf the internet.  He has subsequently reinstalled his OS and that
has
   completely stopped the attack.

   We did find an entry in his registry with the following setting:

   /microsoft/windowsexplorer/doc/find/spec/mru
   a) " "
   b) 5845
   c) nfo
   d) bo
   e) nfo.zip
   f) winrar
   g) msvbvm60.dll
   h) loadwc
   i) stargate
   j) area51
   mrulist) eadcbjihgf

    When the user deleted the registry entry, the attack from his
machine
   went from 1 GET every 30 seconds to 1 GET every second.  After about
10
   minutes, it started slowing up and finally settled into about 1 GET
   every 17-20 seconds.

    I also asked our ISP to help track some of this and this was their
result.  "All the IP's
    I've scanned so far from the log have several UDP ports open in the
31337 range
    (what Back Orifice uses)."

   So, we really need to find the source instead of asking everyone to
   reinstall their OS.  It might also be necessary to inform the various

   virus-detection software vendors to try to eradicate this from all of

   the machines that currently have it installed.

   Thank you for your help,

   Debbie Barba
   SysAdmin
   dbarba () geocities com
Previous By Date Next
Previous By Thread Next

Current thread: