Re: New maniac rootkit

["Aropalo Tommi" <tommi.aropalo () kolumbus fi>]

Look for the file psybnc.conf. There you can find the host they are using to
connect your machine.

USER1.OP.ENTRY= something
There you can find witch channels they use and so on.

-Tommi
----- Original Message -----
From: "Chris Huseman" <ChrisH () A-t-g com>
To: "'Andrew Heath'" <ah228 () cornell edu>
Cc: <incidents () securityfocus com>
Sent: Thursday, June 21, 2001 4:28 PM
Subject: RE: New maniac rootkit


> > -rwxr-xr-x   1 root     root        44313 Apr  2 15:24 bnc
> > - Bot Net Client?  bnc.conf mentions port 6667
> > -rw-r--r--   1 root     ftp            52 May 11 08:19 bnc.conf
> > - bnc's config file
>
>
> > I also know it's making IRC connections, plus has at least one
> > rootshell running.  I can't confirm this without modifying bits
> > of the box, to replace ps with a known good copy, and I can't do
> > that until one of my colleagues looks at it to get first hand
> > experience.
>
>
> BNC is an IRC proxy.  See: http://www.gotbnc.com
>
> You may be able to get more info on your intruder by seeing who it is that
> is using that bnc.. find a clean copy of netstat and look at the port
> bnc.conf says its listening on.
>
> -chris