Security Incidents mailing list archives
Re: FW: PPark (was: Win 95 Question)
From: Robert.Graham () NETWORKICE COM (Robert Graham)
Date: Tue, 29 Feb 2000 12:27:01 -0800
BTW, if you could send me tcpdump of the session, I would really appreciate it as well. Setting up systems to collect tracefiles is often more work than creating the signature that detects the traffic. Regards, Robert Graham CTO/Network ICE -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Russell Fulton Sent: Monday, February 28, 2000 7:31 PM To: INCIDENTS () securityfocus com Subject: Re: FW: PPark (was: Win 95 Question) On Mon, 28 Feb 2000 07:00:59 -0500 Ron Gula <rgula () network-defense COM> wrote:
We have not fully analyzed a live compromised PPark server in our lab yet. What we have not been able to determine is which IRC group(s) a PPark server may join? The list of target IRC servers has been published and this is the first real trace of an IRC "USER" event, but it would also be useful to see some packet traces of the entire session.
Hmmm... I have been analysing our argus logs for machines that are communicating with the IRC servers that are listed as being used by PP. I have found a couple of possibles and I am now checking with the owners. I'll try and get a tcpdump of the sessions. In the meantime I have a question: The advirories I have seen say Pretty Park can be used for remote control but none of them say what ports/mechanisms are used -- is it done via IRC? Russell.
Current thread:
- Re: FW: PPark (was: Win 95 Question) Robert Graham (Feb 29)
- Re: PPark (was: Win 95 Question) Russell Fulton (Feb 29)
- <Possible follow-ups>
- Re: FW: PPark (was: Win 95 Question) Aussie (Mar 01)
- Re: FW: PPark (was: Win 95 Question) Russell Fulton (Mar 02)