Full Disclosure mailing list archives
Re: AMDPatchB & InstallStub
From: Chris Ruvolo <chris+fulldisc () ruvolo net>
Date: Wed, 17 Sep 2003 14:00:44 -0700
On Wed, Sep 17, 2003 at 09:05:33PM +0200, Michael Linke wrote:
This program is trying to get Internet Access while starting. amdpatchB.exe is connecting 63.246.134.50:9900. There is a text based protocol running on 63.246.134.50 at a service on port 9900. See Telnet output: ________________________________________________________ NOTICE AUTH :*** Looking up your hostname NOTICE AUTH :*** Checking Ident NOTICE AUTH :*** Found your hostname
This is an IRC server. It looks like your machine is now part of some kind of bot network. Any indication of how the machine was compromised? ??? [local users on irc(3240)] 100% ??? [global users on irc(3236)] 100% ??? [invisible users on irc(4)] 0% ??? [ircops on irc(3)] 0% ??? [total users on irc(3240)] ??? [unknown connections(8)] ??? [total servers on irc(1)] (avg. 3240 users per server) ??? [total channels created(7)] (avg. 462 users per channel) Channel Users Topic #use 3 #yes2 1 #a 2217 #amernnq 32 #abcdefg 32 #proxy 2 #a has bunch of clients with random names: [ eifefs ] [ ssdbw ] [ luwbx ] [ niiopk ] [ iuuvcr ] [ wkmcyh ] [ hxsdxj ] [ dwyfe ] [ mmfok ] [ hiqhn ] [ guiq ] [ ijgym ] [ dyhvq ] [ wyuo ] [ lwyo ] [ deii ] [ mlosw ] [ lpmblg ] [ jfybwz ] [ czyna ] [ ptyqm ] [ gbxn ] [ eqpabg ] [ jqmk ] [ klnzuu ] And random idents: #a nefgg H ituko () MTL-HSE-ppp202529 qc sympatico ca (nefgg) #a fywu H xsjt () bzq-218-229-14 red bezeqint net (fywu) #a dmwt H yfgjm () Toronto-HSE-ppp3889996 sympatico ca (dmwt) #a dggssb H iupvqu () Toronto-HSE-ppp3698157 sympatico ca (dggssb) #a zaovrf H sncbi () ANeuilly-103-1-2-82 w80-11 abo wanadoo fr #a jlhiqz H wmnxy () host-216-76-249-3 pns bellsouth net (jlhiqz) #a fqpb H oernsholt () 3E6B6D32 rev stofanet dk (fqpb) #a myuckz H nrne () adsl-68-74-222-106 dsl dytnoh ameritech net Hope this helps. -Chris
Attachment:
_bin
Description:
Current thread:
- Re: openssh remote exploit, (continued)
- Re: openssh remote exploit petard (Sep 17)
- Re: openssh remote exploit Shawn McMahon (Sep 17)
- Re: openssh remote exploit Richard Johnson (Sep 17)
- AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AMDPatchB & InstallStub phlox (Sep 17)
- AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AW: AMDPatchB & InstallStub Jordan Wiens (Sep 17)
- SV: AMDPatchB & InstallStub Peter Kruse (Sep 17)
- AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AMDPatchB & InstallStub S G Masood (Sep 17)
- Re: AMDPatchB & InstallStub Chris Ruvolo (Sep 17)
- Re: AMDPatchB & InstallStub S G Masood (Sep 17)