Educause Security Discussion mailing list archives
Passwords brute forced and sent over IRC
From: Krizi Trivisani <krizi () GWU EDU>
Date: Thu, 1 Apr 2004 15:54:16 -0500
Hello, We have had the login creditials of a number of systems enumerated and sent over IRC to an IRC server in Korea with the IP address of 218.55.182.49 (now blocked at our router). Based on examination so far, this is what we have found: 1. One system was compromised and started scanning the network for open shares and weak passwords on other systems 2. Once a system was found with a weak password, the creditials were sent over IRC 3. Files found on compromised/infected systems (in c:\%systemroot%\system32) include regedlt.exe and moo.dat 4. Domain controllers to which the compormised systems were connected were at 100% utilization 5. In some cases we are seeing a telnet backdoor being opened on 5542 Might be a worm, possibly a W32.Randex.gen variant, but we are not sure at this point. We are hearing other Universities may be having this same problem. Anyone else experiencing this? Krizi ********************************** Krizi Trivisani, CISSP Director of Systems Security Operations Chief Security Officer The George Washington University 202/994-7803 krizi () gwu edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Passwords brute forced and sent over IRC Krizi Trivisani (Apr 01)
- <Possible follow-ups>
- Re: Passwords brute forced and sent over IRC Jim Bollinger (Apr 01)