Security Incidents mailing list archives
IRC based DoS bot
From: Rod R00t <rod_r00t () HOTMAIL COM>
Date: Sun, 17 Sep 2000 12:53:04 GMT
Hello there i hope this information has not alreay been posted, if so please excuse me. I do hacking in my free time, not to damage people but just to have fun. 2 days ago i rooted a adsl linux box and found it already rooted. netstat showed me a connection to a undernet server. The program making the connection was being called "-bash". The dir of it in /proc showed me that the binary of it was /etc/rc.d/init.d/echoserv (note, a binary, not a init script). stringing the file showed me some interesting things. This looks like confirmation messages (note that sending "PRIVMSG bla :blabla bla bla" to an irc server makes you sending a message to bla) [..] PRIVMSG %s :(entitee) udpflood started. %d.%d.%d.%d PRIVMSG %s :(entitee) udpflood completed. %d packets/sec PRIVMSG %s :(entitee) fragmentflood started. PRIVMSG %s :(entitee) fragmentflood completed. %d packets/sec PRIVMSG %s :(entitee) synflood started. PRIVMSG %s :(entitee) synflood completed. %d packets/sec PRIVMSG %s :(entitee) rstflood started. PRIVMSG %s :(entitee) rstflood completed. %d packets/sec PRIVMSG %s :(entitee) randomflagsflood started. PRIVMSG %s :(entitee) randomflagsflood completed. %d packets/sec PRIVMSG %s :(entitee) ackflood started. PRIVMSG %s :(entitee) ackflood completed. %d packets/sec PRIVMSG %s :(entitee) establishflood started. PRIVMSG %s :(entitee) establishflood completed. %d packets/sec PRIVMSG %s :(entitee) nullflood started. PRIVMSG %s :(entitee) nullflood completed. %d packets/sec [...] These are some undernet servers i found hardcoded: [...] 204.127.145.17 216.24.134.10 208.51.158.10 199.170.91.114 207.173.16.33 207.96.122.250 205.252.46.98 216.225.7.155 205.188.149.3 207.69.200.131 207.114.4.35 [...] And here are basic irc protocoll commands: [...] USER %s %s %s :%s NICK %s ERROR PING PONG %s MODE %s +i JOIN %s %s MODE %s +sk %s PRIVMSG [...] There were more strings but they are not that interesting. What i did then was using ngrep to sniff the traffic going to and from the irc server. The bot connects to the irc server, joins a channel with a key and after having joined it sets the key again. Then it just idles around. The other users on the channel the bot joined seem to be dos bots too, they nearly all come from a major US internet provider and have the same username and nickname scheme I would like it if someone can say me what i should do now or just send me or this list more informations about this program. cya rod r00t _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.
Current thread:
- IRC based DoS bot Rod R00t (Sep 17)
- Re: IRC based DoS bot Erik Tayler (Sep 18)
- Re: IRC based DoS bot Erik Tayler (Sep 18)
- Re: IRC based DoS bot Matthew S. Hallacy (Sep 19)
- Re: IRC based DoS bot Erik Tayler (Sep 20)
- Re: IRC based DoS bot Matthew S. Hallacy (Sep 19)
- <Possible follow-ups>
- Re: IRC based DoS bot Fredrik Ostergren (Sep 18)
- Re: IRC based DoS bot Rod R00t (Sep 19)
- Re: IRC based DoS bot Martins, Fernando (Lisbon) (Sep 22)