Re: Trojan? DDOS Bot?

[Christopher Cramer <chris.cramer () duke edu>]

welcome to the wonderful world of XDCC-type bots, see
http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt

essentially, you were likely compromised by some other mechanism - we
see weak passwords on administrator accounts and MS SQL issues quite
often.  Once you were compromised, they installed an IRC bot which
"shares" files using DCC.  Some variants of the bot take other commands
or can pass arbitrary commands to the host computer.  We've seen several
of these involved in DDoS attacks.

Tools to help connect ports w/ processes are fport and vision both by
FoundStone, and both available for download, I believe.  You *may* be
able to clean up the machine using these, all though my strong
recommendation would be an OS re-install.

I hope this helps.

-Chris

Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  CELL: 919-210-0528
PGP Public Key: http://www.duke.edu/~cramer/cramer.pgp


On Tue, 2002-08-27 at 04:22, Janus () etoast com wrote:
> I recogniced some weird connections from my box (w98)
> to other computers. As soon as i connect to the
> internet a connection from local port 1026 to port 6667
> on 65.185.135.125 was established. I connected to that
> server and it is an irc server (MusIRC Internet Relay
> Chat Network). I found a bot using my adress with a
> random name made up of letters. The server
> administrator told me that he has recognized these bots
> coming from many different hosts for quite ome time
> now. They all try to join a channel named #nutz on that
> server. He has seen people giving commands to those
> bots so he closed down the channel. They give a msg
> after kicked "Fuck you <name of the person that has
> kicked them>. To version request they reply with
> something like that too. I checked for open ports on my
> box and found 113 open. A few days ago i deleted a
> net-devil v.1.4 from my system. Not sure if that has
> anything to do with that. After installing a freeware
> firewall to see what it will do if i blocked its
> outgoing port and deleting it afterwards it just
> changed the outgoing port. As i am typing this a
> netstat -an reveals
>
> TCP    0.0.0.0:1301           0.0.0.0:0             
> LISTENING
>   TCP    0.0.0.0:1705           0.0.0.0:0             
> LISTENING
>   TCP    127.0.0.1:1027         0.0.0.0:0             
> LISTENING
>   TCP    127.0.0.1:1704         0.0.0.0:0             
> LISTENING
>   TCP    127.0.0.1:1704         127.0.0.1:1705        
> ESTABLISHED
>   TCP    127.0.0.1:1705         127.0.0.1:1704        
> ESTABLISHED
>   TCP    217.84.185.171:1301    65.185.135.125:6667   
> ESTABLISHED
>   UDP    127.0.0.1:1027         *:*                    
>
>
> I couldnt find a freeware tool to find out which
> process is using this specific irc connection, nor did
> a scan with f-prot or housecall or panda reveal any
> viral or trojan activity.
>
> Any help or info would be really appreciated. Thanks in
> advance
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com