Full Disclosure mailing list archives

Re: AMDPatchB & InstallStub

From: Chris Ruvolo <chris+fulldisc () ruvolo net>
Date: Wed, 17 Sep 2003 14:00:44 -0700

On Wed, Sep 17, 2003 at 09:05:33PM +0200, Michael Linke wrote:

This program is trying to get Internet Access while starting.
amdpatchB.exe is connecting 63.246.134.50:9900.
There is a text based protocol running on 63.246.134.50 at a service on port
9900.
See Telnet output:
________________________________________________________
NOTICE AUTH :*** Looking up your hostname
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** Found your hostname


This is an IRC server.  It looks like your machine is now part of some kind
of bot network.  Any indication of how the machine was compromised?

??? [local users on irc(3240)] 100%
??? [global users on irc(3236)] 100%
??? [invisible users on irc(4)] 0%
??? [ircops on irc(3)] 0%
??? [total users on irc(3240)]
??? [unknown connections(8)]
??? [total servers on irc(1)] (avg. 3240 users per server)
??? [total channels created(7)] (avg. 462 users per channel)

Channel      Users   Topic                                   
#use             3                                           
#yes2            1                                           
#a            2217                                           
#amernnq        32                                           
#abcdefg        32                                           
#proxy           2                                           


#a has bunch of clients with random names:

[ eifefs    ] [ ssdbw     ] [ luwbx     ] [ niiopk    ] [ iuuvcr    ] 
[ wkmcyh    ] [ hxsdxj    ] [ dwyfe     ] [ mmfok     ] [ hiqhn     ] 
[ guiq      ] [ ijgym     ] [ dyhvq     ] [ wyuo      ] [ lwyo      ] 
[ deii      ] [ mlosw     ] [ lpmblg    ] [ jfybwz    ] [ czyna     ] 
[ ptyqm     ] [ gbxn      ] [ eqpabg    ] [ jqmk      ] [ klnzuu    ] 

And random idents:

#a         nefgg      H   ituko () MTL-HSE-ppp202529 qc sympatico ca (nefgg)
#a         fywu       H   xsjt () bzq-218-229-14 red bezeqint net (fywu)
#a         dmwt       H   yfgjm () Toronto-HSE-ppp3889996 sympatico ca (dmwt)
#a         dggssb     H   iupvqu () Toronto-HSE-ppp3698157 sympatico ca (dggssb)
#a         zaovrf     H   sncbi () ANeuilly-103-1-2-82 w80-11 abo wanadoo fr
#a         jlhiqz     H   wmnxy () host-216-76-249-3 pns bellsouth net (jlhiqz)
#a         fqpb       H   oernsholt () 3E6B6D32 rev stofanet dk (fqpb)
#a         myuckz     H   nrne () adsl-68-74-222-106 dsl dytnoh ameritech net


Hope this helps.
-Chris

Attachment: _bin
Description:

Current thread:

Re: openssh remote exploit, (continued)
- - - Re: openssh remote exploit petard (Sep 17)
    - Re: openssh remote exploit Shawn McMahon (Sep 17)
    - Re: openssh remote exploit Richard Johnson (Sep 17)
    - AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AMDPatchB & InstallStub phlox (Sep 17)
    - AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AW: AMDPatchB & InstallStub Jordan Wiens (Sep 17)
    - SV: AMDPatchB & InstallStub Peter Kruse (Sep 17)
    - AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AMDPatchB & InstallStub S G Masood (Sep 17)
    - Re: AMDPatchB & InstallStub Chris Ruvolo (Sep 17)
    - Re: AMDPatchB & InstallStub S G Masood (Sep 17)