Security Incidents mailing list archives
Re: FW: PPark (was: Win 95 Question)
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Tue, 29 Feb 2000 16:31:05 +1300
On Mon, 28 Feb 2000 07:00:59 -0500 Ron Gula <rgula () network-defense COM> wrote:
We have not fully analyzed a live compromised PPark server in our lab yet. What we have not been able to determine is which IRC group(s) a PPark server may join? The list of target IRC servers has been published and this is the first real trace of an IRC "USER" event, but it would also be useful to see some packet traces of the entire session.
Hmmm... I have been analysing our argus logs for machines that are communicating with the IRC servers that are listed as being used by PP. I have found a couple of possibles and I am now checking with the owners. I'll try and get a tcpdump of the sessions. In the meantime I have a question: The advirories I have seen say Pretty Park can be used for remote control but none of them say what ports/mechanisms are used -- is it done via IRC? Russell.
Current thread:
- FW: PPark (was: Win 95 Question) Ville (Feb 25)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ron Gula (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Russell Fulton (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)