Bugtraq mailing list archives
Re: Internet Wide DOS Attack using IRC
From: cluster () VIDEOTRON CA (Samuel Cossette)
Date: Fri, 2 Oct 1998 20:55:01 -0400
I have done my own investigation about it; First it's not Back Orifice, it's another fuck*** trojan, spread by a DCC bot on EFnet (#warez950-dcc). When it's installed this is request 3 files on Geocities! (configuration) After, the trojan start an irc session on EFNet. The first channel was #^C^CHaVoC^B^B with a key, when they discover the presence of intruder they have changed the channel (#^_^_HaVoC^B^B) And since 1-2 weeks the channel is empty and when i start my laptop (infected) I see, on the monitoring screen of my server, some connection on Geocities this is retrieve a file and this is return a 404 url not found. When a clone (Havoc call an infected computer a "Drone") is connected on irc anybody can control this with Private msg command (.join #chan, .part, .do [raw command]). 2-3 week ago the infected chan get about 500-700 drones (stable). My personnal estimation of infected computer it's 15000+. With 500 "clones" they can easily split an irc server with the command MOTD:irc.server.net (.do raw command). To see if you are infected do CTRL-ALT-DEL in windows and if you have a process called OCE it's the Havoc's trojan :] remove it in your system directory usualy c:\windows\system Samuel Cossette -----Original Message----- From: dbarba <dbarba () GEOCITIES COM> To: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG> Date: 2 octobre, 1998 18:09 Subject: Internet Wide DOS Attack using IRC
Please forward this on to the appropriate people if necessary. GeoCities is currently experiencing a DOS attack that appears to be spread by a trojan horse in a mIRC script. GeoCities is receiving thousands of HTTP requests from thousands of unique computers daily for a file that no longer exists on our servers. The specific count for one minute on Friday, September 25 at 10:17 am was 3,522 hits, 1,492 of them were from unique IP's. For the time period of 3 am to 10:17am on 9/25 we had 3,562 unique IPs request this one file. It does not appear to be specifically requested by the user of that computer. This request uses no browser and is usually requesting the file every 30 seconds while the user is connected to the Internet. The requests are coming from around the world and have been slowly building up since at least August 18, 1998 (the farthest back our access logs go). The attack is requesting a file from our site: http://www.geocities.com/Area51/Stargate/5845/nfo.zip The complete content of the 5845 directory was: nfo.zip, nfo.jpg, servers.zip, servers.jpg, users.zip and users.jpg. When I looked at the binary files by doing a cat, the users jpg & zip files were the same, but the other files were all unique. It does not use a browser or store cookies. At the moment, the file being requested is of zero size. When there is a file of size , originally it was 8k and I later inserted a short note to contact me regarding the attack into the nfo.zip file, at which time the attack becomes much worse on the Windows machines that are requesting the file. Also, an odd note, there are a couple machines that are requesting the file named nfo.jpg. Those are reqeusted every minute instead of every 30 seconds. I have contacted a user that complained about GeoCities attacking him. In reality, his computer was asking for the nfo.zip file from us every 30 seconds, and that was flooding his connection to the internet. I have worked with him closely since he found the problem. He only uses IRC. In fact, the first time he visited our website is after the attack started, when he was looking for a contact name and number. He does not surf the internet. He has subsequently reinstalled his OS and that has completely stopped the attack. We did find an entry in his registry with the following setting: /microsoft/windowsexplorer/doc/find/spec/mru a) " " b) 5845 c) nfo d) bo e) nfo.zip f) winrar g) msvbvm60.dll h) loadwc i) stargate j) area51 mrulist) eadcbjihgf When the user deleted the registry entry, the attack from his machine went from 1 GET every 30 seconds to 1 GET every second. After about 10 minutes, it started slowing up and finally settled into about 1 GET every 17-20 seconds. I also asked our ISP to help track some of this and this was their result. "All the IP's I've scanned so far from the log have several UDP ports open in the 31337 range (what Back Orifice uses)." So, we really need to find the source instead of asking everyone to reinstall their OS. It might also be necessary to inform the various virus-detection software vendors to try to eradicate this from all of the machines that currently have it installed. Thank you for your help, Debbie Barba SysAdmin dbarba () geocities com
Current thread:
- Re: Internet Wide DOS Attack using IRC Paralyse (Oct 02)
- <Possible follow-ups>
- Re: Internet Wide DOS Attack using IRC Samuel Cossette (Oct 02)
- Re: Internet Wide DOS Attack using IRC Kameron Gasso (Oct 02)
- Re: Internet Wide DOS Attack using IRC Glenn Tucker (Oct 02)
- Re: Internet Wide DOS Attack using IRC Diane Bruce (Oct 02)
- Re: Internet Wide DOS Attack using IRC George Imburgia (Oct 03)
- Re: Internet Wide DOS Attack using IRC Kameron Gasso (Oct 02)
- Re: Internet Wide DOS Attack using IRC Samuel Cossette (Oct 02)
- Re: Internet Wide DOS Attack using IRC Samuel Cossette (Oct 03)