Re: Recent IRC attacks

[adam <agraham () lcc net>]

our linux box was hit (attempted).... running hybryid.... IRC server and 
red hat 7.0.... last night (july 11)



At 11:06 AM 7/12/2001 -0500, you wrote:

> Anyone seen the recent IRC related attacks?  We were the source
> and destination for more than one massive flood yesterday.
>
>
> The MO so far seems to be:
>
>   + Flood of IP protocol 255 packets from random, poorly admined, Win2K 
> boxen.
>
>   + The attacks seem to be directed almost exclusively at IRC servers.
>
>
> So far, we've found that the hacked Win2K boxes have the following:
>
>   BackOriface install as
>
>     c:\winnt\java\w.exe
>
>   Also, there was a new executable install as
>
>     c:\winnt\system32\wlogin.exe
>
>   And this was running as a service.
>
>
> Also, the hacked machines seem to be controlled via IRC.  They're
> connecting to rogue IRC servers running on what appear to be hacked
> machines on DSL/Cablemodems.
>
>
> If I had to guess how they got this stuff installed, I'd say that it
> was done via IIS.  None of the hacked machines that I've seen were patched
> and they were all running IIS.
>
>
> Paul
> --
> Paul Dokas                                            dokas () cs umn edu
> ======================================================================
> Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
>
>
> ----------------------------------------------------------------------------
>
>
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
>
> http://aris.securityfocus.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com