Security Incidents mailing list archives
Re: new(?) windows irc ddos trojan
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Sat, 10 Mar 2001 19:18:55 -0700
On Sat, 10 Mar 2001, Pete Schmitt wrote:
When it's running, a netstat -an shows the following (smb stuff left out for clarity): TCP 0.0.0.0:1029 0.0.0.0 listen TCP 0.0.0.0:113 0.0.0.0 listen TCP 192.168.1.2:1029 199.173.178.35 EST #this is dalnet.away.net
BTW, I don't know if you're aware.. Windows 9x has a problem with it's Netstat reporting... it shows ports as "listening" that are in fact just being used to make client connections. I.e. you see the port 1029 is being used to contact the dalnet server. So, it's just listening on ident, as you've noted. Many IRC servers require ident for wahtever reason before they will let you connect.
The 192.x.x.x address is my local NAT'ed address. I'm running behind a Linux-router project firewall box. Hence, our little friend couldn't complete his duties.
I suspect it could.. unless you block IRC out or it was trying to DCC send, only. Since it's acting strictly as a client, it was probably at least able to "call home".
I have ethereal packet dumps of what it's up to. All I need is a place to send them.
I'll take a look. Please send them to me off-list. Did you manage to capture any binaries? Did I understand you to say that the machine has been reformatted already? Ryan
Current thread:
- new(?) windows irc ddos trojan Pete Schmitt (Mar 10)
- Re: new(?) windows irc ddos trojan Ryan Russell (Mar 10)