Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IRC bot floods...

From: abel wisman <able () ABLE-TOWERS COM>
Date: Sun, 13 Aug 2000 22:34:50 -0500
if  you monitor were they are going there are two possibilities:

1. they are sub7 trojans, latest version, they will spawn a IP and passwd
in most likely -s channel
this is seen in a lot of networks, it is usually the users (most German)
that are infected and are online on that moment, though when setup well
your infected users will most likely be spawned on other networks and the
ones on yours will be v.v.

2. they might be part of "chatscan" a new "service"  that monitors networks
supposedly for a "database" that prospective irc users might use to select
a topic discussed in any channel onany given network, though they claim not
to "record" discussions it has been proven they do.
Main problem however is that in both cases the used ip's are dial-up accounts.

What to do withthe trojans ?? we have not yet found the answer, but view it
as a possibility for our users to check if their ip is there.


regards

abel wisman

www.able-towers.com



At 04:13 PM 8/10/2000 -0500, PARKIN, MICHAEL M (PBI) wrote:

Morning, folks,

I administer a server on a small IRC network (11 servers, US, Australia,
Europe) that is currently undergoing a flood of connections from what appear
to be compromised windows boxes.  At the moment, they are not doing anything
destructive, but I wonder if anyone else has encountered this recently.

The hosts are all Windows based, either NT or 9x.  Cursory scans show open
shares on a few (very few) and the open ports, when we find open ports,
don't match any of the Trojans our admins or opers are familiar with.  i.e.
Sub7, BO, Hack'A'Tack, Netbus, etc.

The connections all appear to be coming from legitimate hosts, none found so
far are proxies.  At least as far as we can tell.  The userid is always
random, containing alphabetic characters only.  All lower case, no numerics
or non-alpha characters.  IRC Nick = userid in all cases.  They do not
appear to be altering their userid and reconnecting when we punt them off,
and they're not connecting rapidly enough to cause any real threat to our
Net.

If anyone knows of a new Trojan with this capability, I'd appreciate some
input.  There are literally hundreds of these things connecting, and the
'paranoid' in me says they're the first stage of a DDoS against our net.

Thanks,

Mike Parkin
Network Reliability Center
SBC Internet Services
415.442.5108
Previous By Date Next
Previous By Thread Next

Current thread: