Security Incidents mailing list archives
IRC bot floods...
From: "PARKIN, MICHAEL M (PBI)" <mparkin () PBI NET>
Date: Thu, 10 Aug 2000 16:13:59 -0500
Morning, folks, I administer a server on a small IRC network (11 servers, US, Australia, Europe) that is currently undergoing a flood of connections from what appear to be compromised windows boxes. At the moment, they are not doing anything destructive, but I wonder if anyone else has encountered this recently. The hosts are all Windows based, either NT or 9x. Cursory scans show open shares on a few (very few) and the open ports, when we find open ports, don't match any of the Trojans our admins or opers are familiar with. i.e. Sub7, BO, Hack'A'Tack, Netbus, etc. The connections all appear to be coming from legitimate hosts, none found so far are proxies. At least as far as we can tell. The userid is always random, containing alphabetic characters only. All lower case, no numerics or non-alpha characters. IRC Nick = userid in all cases. They do not appear to be altering their userid and reconnecting when we punt them off, and they're not connecting rapidly enough to cause any real threat to our Net. If anyone knows of a new Trojan with this capability, I'd appreciate some input. There are literally hundreds of these things connecting, and the 'paranoid' in me says they're the first stage of a DDoS against our net. Thanks, Mike Parkin Network Reliability Center SBC Internet Services 415.442.5108
Current thread:
- IRC bot floods... PARKIN, MICHAEL M (PBI) (Aug 13)
- Re: IRC bot floods... abel wisman (Aug 14)