Security Incidents mailing list archives

Re: Trojan? DDOS Bot?

From: Mike Parkin <mparkin () cisco com>
Date: Tue, 27 Aug 2002 11:56:53 -0700 (PDT)

You appear to have been infected with one of a variety of Trojans - like
BO, NetBus, Sub7, etc.  Can't tell from the ports you show, since many of
the trojans are configurable for responses, U@H values when connecting to
IRC, listening ports, etc.

I've seen that same thing from the IRCAdmin side of the equation many
times.  We used to set up in the "target" channel and wait for the organic
to show up and claim it's bots.  Unfortunately, even when we'd dealt with
him, we'd often see stragglers from his botnet for weeks to come.

Advice - get some scanning software appropriate for your OS (Sorry, no
recommendation - I'm an *IX guy) and find the trojan.


Mike Parkin
Cisco Systems, Inc.
Information Security
SysAdmin/NetAdmin





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Trojan? DDOS Bot? Janus (Aug 27)
- Re: Trojan? DDOS Bot? Mike Parkin (Aug 27)
- Re: Trojan? DDOS Bot? Christopher Cramer (Aug 27)
- Re: Trojan? DDOS Bot? Erik Sperling Johansen (Aug 27)
- Re: Trojan? DDOS Bot? Dragos Ruiu (Aug 27)
- Re: Trojan? DDOS Bot? Michael J McCafferty (Aug 27)
- <Possible follow-ups>
- Re: Trojan? DDOS Bot? Richman, Samuel <NHTSA> (Aug 27)
- RE: Trojan? DDOS Bot? Brooke, O'neil (EXP) (Aug 27)
- Re: Trojan? DDOS Bot? Will Tell (Aug 27)
- RE: Trojan? DDOS Bot? YAO,TONY (HP-NewZealand,ex1) (Aug 28)
- RE: Trojan? DDOS Bot? David LeBlanc (Aug 30)