Security Incidents mailing list archives
Re: IRC based DoS bot
From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Mon, 18 Sep 2000 11:54:45 -0000
Hello! That's the trinity v3 by self which we've been tracking down & posting things about since about a month ago. If you find any source code, please mail it over, if you found any other information that was not published in any analysis or any posts here, mail it over. Kind Regards / Fredrik.
Hello there i hope this information has not alreay been posted,
if so please excuse me.
I do hacking in my free time, not to damage people
but just to have fun.
2 days ago i rooted a adsl linux box and found it
already rooted. netstat
showed me a connection to a undernet server. The
program making the
connection was being called "-bash". The dir of it
in /proc showed me that
the binary of it was /etc/rc.d/init.d/echoserv (note, a
binary, not a init
script). stringing the file showed me some interesting
things.
This looks like confirmation messages (note that
sending "PRIVMSG bla
:blabla bla bla" to an irc server makes you sending
a message to bla)
[..] PRIVMSG %s :(entitee) udpflood started. %d.%d.%d.%d PRIVMSG %s :(entitee) udpflood completed. %d
packets/sec
PRIVMSG %s :(entitee) fragmentflood started. PRIVMSG %s :(entitee) fragmentflood completed. %
d packets/sec
PRIVMSG %s :(entitee) synflood started. PRIVMSG %s :(entitee) synflood completed. %d
packets/sec
PRIVMSG %s :(entitee) rstflood started. PRIVMSG %s :(entitee) rstflood completed. %d
packets/sec
PRIVMSG %s :(entitee) randomflagsflood started. PRIVMSG %s :(entitee) randomflagsflood
completed. %d packets/sec
PRIVMSG %s :(entitee) ackflood started. PRIVMSG %s :(entitee) ackflood completed. %d
packets/sec
PRIVMSG %s :(entitee) establishflood started. PRIVMSG %s :(entitee) establishflood completed. %
d packets/sec
PRIVMSG %s :(entitee) nullflood started. PRIVMSG %s :(entitee) nullflood completed. %d
packets/sec
[...] These are some undernet servers i found
hardcoded:
[...] 204.127.145.17 216.24.134.10 208.51.158.10 199.170.91.114 207.173.16.33 207.96.122.250 205.252.46.98 216.225.7.155 205.188.149.3 207.69.200.131 207.114.4.35 [...] And here are basic irc protocoll commands: [...] USER %s %s %s :%s NICK %s ERROR PING PONG %s MODE %s +i JOIN %s %s MODE %s +sk %s PRIVMSG [...] There were more strings but they are not that
interesting.
What i did then was using ngrep to sniff the traffic
going to and from the
irc server. The bot connects to the irc server, joins
a channel with a key
and after having joined it sets the key again. Then it
just idles around.
The other users on the channel the bot joined seem
to be dos bots too, they
nearly all come from a major US internet provider
and have the same username
and nickname scheme I would like it if someone can say me what i should
do now or just send me
or this list more informations about this program. cya rod r00t
___________________________________________ ______________________________
Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com.
Share information about yourself, create your own
public profile at
http://profiles.msn.com.
Current thread:
- IRC based DoS bot Rod R00t (Sep 17)
- Re: IRC based DoS bot Erik Tayler (Sep 18)
- Re: IRC based DoS bot Erik Tayler (Sep 18)
- Re: IRC based DoS bot Matthew S. Hallacy (Sep 19)
- Re: IRC based DoS bot Erik Tayler (Sep 20)
- Re: IRC based DoS bot Matthew S. Hallacy (Sep 19)
- <Possible follow-ups>
- Re: IRC based DoS bot Fredrik Ostergren (Sep 18)
- Re: IRC based DoS bot Rod R00t (Sep 19)
- Re: IRC based DoS bot Martins, Fernando (Lisbon) (Sep 22)