Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IRC-bots: what are they for ?

From: tyler () ENJOY-UNIX ORG (tyler)
Date: Wed, 12 Jan 2000 14:03:50 -0700

It's never stopped to amaze me how willing crackers are to leave a direct
trail to theirselves. If you open up the eggdrop's userfile you could get
the IP address of the person who cracked you pretty easily.

Anyway, as far as your question goes it is pretty much a vanity thing. Big
"bot-nets" make people feel cool I guess.
Backdoors? I wouldn't think so, but it might be a good idea just to
portscan yourself really quickly and check out and unusual ports that may
be open.
Eggdrop requires one port to be open for it I believe. I'm running an
eggdrop from my machine and heres what it looks like (information collected
with nmap):

5050   open   tcp   mmcc

So that's a normal port to be open if there is an eggdrop running.

Overall, you should be worrying about securing those cracked machines than
figuring out why all those eggdrops are on em ;-)

Tyler

Jens Hektor wrote:


Hi,

is anybody out there who could explain to me why on nearly
every cracked machine I get in touch with the crackers
have installed IRC-bots, most of the time "eggdrop" ?

What practical use can taken by installing a bot on a cracked machine ?

Does it give any backdoors to the system (file access,
interactive access, monitoring, etc) ?

Is such a bot possibly part of a larger communication
infrastructure, maybe like the tfn/trinoo/stacheldraht
thingie  ?

In hope for clarification, irc-ignorant Jens Hektor
Previous By Date Next
Previous By Thread Next

Current thread: