Security Incidents mailing list archives
Re: detecting "trinity v3 by self" DDoS agent
From: Philippe Bourcier <philippe () CYBERABUSE ORG>
Date: Thu, 31 Aug 2000 02:30:42 +0200
re We have detected a few weeks ago (with 2 other people from the undernet staff) the "trinity v2 and v3 by self" on IRC (400 bots with different IPs). We have seen self (the author) using those and then alerted some hacked boxes admins. ... From: Matt Power <mhpower () MIT EDU> To: INCIDENTS () SECURITYFOCUS COM Subject: detecting "trinity v3 by self" DDoS agent <snip> -- lsof output reporting that a program named /usr/lib/idle.so is listening on tcp port 39168 (this is the DDoS agent itself) -- lsof output reporting that a program named /var/spool/uucp/uucico is listening on tcp port 33270 -- possibly other tcp or udp ports in use by the /usr/lib/idle.so and /var/spool/uucp/uucico programs I will add that for trinity v2 the idle.so file is named trnty.h and also that uucico uses a TCP connection on port 6667 (IRC) since its an IRC bot. All the 400 machines used seems pretty easy to hack. The attacks made were trinoo like (pyramidal). I have a list of the attacked sites if someone wants it. Nicknames on IRC (UnderNet) were generated with the 6 first letters of the machine name ("." replaced by "_" and 2 other letters (which we haven't found the meaning) and 1 number, which is probably defining the order in the pyramid. ie: aquarids0 using aquarius.cryogenic.net The hacker (self) of those 400 hacked machines seems to have stopped his game. 114 hacked machines are still online: 151.188.3.132 151.196.77.100 152.17.140.104 195.142.1.40 195.72.83.137 201.telenet.mplik.ru 202.101.42.161 202.146.247.243 202.167.14.34 202.39.131.69 202.39.31.13 202.47.167.42 202.57.44.4 202.58.117.146 202.60.253.23 202.71.128.93 202.95.113.23 203.104.64.17 203.39.156.78 203.41.126.23 203.43.250.37 203.59.131.122 203.66.195.84 203.66.249.131 203.66.249.132 203.67.162.33 203.69.215.60 203.69.220.76 203.69.37.189 203.69.5.94 203.69.88.244 203.70.174.129 203.74.209.1 203.75.190.179 203.75.43.172 203.85.194.1 203.93.224.9 203.93.69.215 209.236.223.66 212.100.64.20 212.10.109.10 212.101.70.7 212.121.64.74 212.140.250.2 212.54.140.66 212.54.72.99 212.66.172.48 212.70.163.178 213.208.132.62 213.237.60.197 213.38.40.7 213.45.3.25 213.76.131.78 224user108.ctinets.com 226user04.ctinets.com 236user86.ctinets.com 64.121.169.86 70.adsl0.oebr.worldonline.dk active4.lnk.telstra.net aquarius.cryogenic.net bg.bibl.univ.szczecin.pl bitcharse.com c78-s40-r49h4.upc.chello.no c89.h202052081.is.net.tw ca-ol-bordeaux-8-234.abo.wanadoo.fr Chester-wl.CS.UCLA.EDU cnit1.ing.unifi.it cochi.e-building.net.tw cosserv3.fau.edu cp3147-a.venra1.lb.nl.home.com ctv21225133043.ctv.es cust-13-171.bredbandsbolaget.se d3226.dtk.chello.nl dns.msl.com.hk dragon.dozier.nn.k12.va.us druid.cti.gr earth.i-net.net.au Electra.chemistry.upatras.gr ftp.brightled.com.tw host1.20377106.gcn.net.tw host249.20365165.gcn.net.tw hosting4.hipernet.es html.net ins131283-1.gw.connect.com.au ip124114.hkicable.com isibrowse.isical.ac.in mail.morrellcom.com metaphy.matsc.kyutech.ac.jp mhslinux.mville.nn.k12.va.us moosoft.com ms.digiport.net.tw overland.nex.ro pc160.iacc.com.hk pc3045.ktk.bme.hu pc692.trillegaarden.dk pm41-113-3.worldpath.net poseidon.edibit.it PPP-91-201.bng.vsnl.net.in psy203108084208.ozemail.com.au reggae-30-3.nv.iinet.net.au robt-1.soho.enteract.com set.ciens.ula.ve sparc20.sia.ucl.ac.be sunrise.cs.olemiss.edu tco11.thomson-csf.fr tpnh.e-building.net.tw tristar.tacloban.fapenet.org user271.fl.sprint-hsd.net w002.z064001249.sjc-ca.dsl.cnc.net w038.z064001132.chi-il.dsl.cnc.net w083.z064000186.bwi-md.dsl.cnc.net www.cola.idv.tw www.net-happens.com.au www.prince.org -------------------------------------------- Philippe Bourcier (Mr_RIP) -------------------------------------------- Paris.FR.EU.UnderNet.Org -------------------------------------------- documents.cyberabuse.org -------------------------------------------- ps: Victim of a smurf attack? Mail IPs to mailing () cyberabuse org
Current thread:
- two port scans Robert Collins (Aug 30)
- Re: two port scans martin j. muench (Aug 30)
- Re: detecting "trinity v3 by self" DDoS agent Philippe Bourcier (Aug 31)
- Re: two port scans Ralf G. R. Bergs (Aug 31)
- <Possible follow-ups>
- Re: two port scans Robert Collins (Aug 31)
- Re: two port scans Forrester, Mike (Aug 31)