Re: IRC based DoS bot

[Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>]

Hello!
That's the trinity v3 by self which we've been tracking 
down & posting things about since about a month 
ago. If you find any source code, please mail it over, if 
you found any other information that was not 
published in any analysis or any posts here, mail it 
over. 

Kind Regards
/ Fredrik. 

> Hello there
> i hope this information has not alreay been posted, 
if so please excuse me.
> I do hacking in my free time, not to damage people 
but just to have fun.
> 2 days ago i rooted a adsl linux box and found it 
already rooted. netstat
> showed me a connection to a undernet server. The 
program making the
> connection was being called "-bash". The dir of it 
in /proc showed me that
> the binary of it was /etc/rc.d/init.d/echoserv (note, a 
binary, not a init
> script).
> stringing the file showed me some interesting 
things.
> This looks like confirmation messages (note that 
sending "PRIVMSG bla
> :blabla bla bla" to an irc server makes you sending 
a message to bla)
> [..]
> PRIVMSG %s :(entitee) udpflood started.
> %d.%d.%d.%d
> PRIVMSG %s :(entitee) udpflood completed. %d 
packets/sec
> PRIVMSG %s :(entitee) fragmentflood started.
> PRIVMSG %s :(entitee) fragmentflood completed. %
d packets/sec
> PRIVMSG %s :(entitee) synflood started.
> PRIVMSG %s :(entitee) synflood completed. %d 
packets/sec
> PRIVMSG %s :(entitee) rstflood started.
> PRIVMSG %s :(entitee) rstflood completed. %d 
packets/sec
> PRIVMSG %s :(entitee) randomflagsflood started.
> PRIVMSG %s :(entitee) randomflagsflood 
completed. %d packets/sec
> PRIVMSG %s :(entitee) ackflood started.
> PRIVMSG %s :(entitee) ackflood completed. %d 
packets/sec
> PRIVMSG %s :(entitee) establishflood started.
> PRIVMSG %s :(entitee) establishflood completed. %
d packets/sec
> PRIVMSG %s :(entitee) nullflood started.
> PRIVMSG %s :(entitee) nullflood completed. %d 
packets/sec
> [...]
>
> These are some undernet servers i found 
hardcoded:
> [...]
> 204.127.145.17
> 216.24.134.10
> 208.51.158.10
> 199.170.91.114
> 207.173.16.33
> 207.96.122.250
> 205.252.46.98
> 216.225.7.155
> 205.188.149.3
> 207.69.200.131
> 207.114.4.35
> [...]
>
> And here are basic irc protocoll commands:
> [...]
> USER %s %s %s :%s
> NICK %s
> ERROR
> PING
> PONG %s
> MODE %s +i
> JOIN %s %s
> MODE %s +sk %s
> PRIVMSG
> [...]
>
> There were more strings but they are not that 
interesting.
> What i did then was using ngrep to sniff the traffic 
going to and from the
> irc server. The bot connects to the irc server, joins 
a channel with a key
> and after having joined it sets the key again. Then it 
just idles around.
> The other users on the channel the bot joined seem 
to be dos bots too, they
> nearly all come from a major US internet provider 
and have the same username
> and nickname scheme
>
> I would like it if someone can say me what i should 
do now or just send me
> or this list more informations about this program.
>
> cya
> rod r00t
___________________________________________
______________________________
> Get Your Private, Free E-mail from MSN Hotmail at 
http://www.hotmail.com.
> Share information about yourself, create your own 
public profile at
> http://profiles.msn.com.