Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: <caldcv () students fccj org>
Date: 26 May 2004 16:56:46 -0000
In-Reply-To: <20040525220531.CLUE6905.lakermmtao10.cox.net () smtp central cox net>
D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\eggdrop.conf D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.chan D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.chan~bak D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.user D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.user~bak
Very interesting files. These files are generated by Eggdrop, a popular IRC bot for administrating channels. The
sitebot.chan is the channel list for the bot and the sitebot.user file is the user file. If you open eggdrop.conf,
you'll find this when you scroll down:
# Un-comment the next line and set the list of owners of the bot.
# You NEED to change this setting.
set owner "botowner"
This will give you the name of the person who admins the bot hosted on your machine. Remember this name, it'll be
useful later on.
Scroll down to #### SERVER MODULE ####
# This is the bot's server list. The bot will start at the first server # listed, and cycle through them whenever it
gets disconnected. You need
# to change these servers to YOUR network's servers.
#
# The format is:
# server[:port[:password]]
#
# Both the port and password fields are optional; however, if you want to
# set a password you must also set a port. If a port isn't specified it
# will default to your default-port setting.
set servers {
irc.someircserver.net:6667
}
This tells you where to connect to. If you connect to that IRC server with an IRC client, you can start tracking down
some of the people who compromised your machine. A lot of system administrators don't know it, but the IRC warez scene
is getting very big. Every small group has people called "scanners" who just scan IP address and "rooters" to
compromise the machines who were just scanned and found to be vulnerable.
I run legitimate eggdrops on legitimate IRC networks for legitimate purposes, so I would know where to start ;) I would
join the channels inside sitebot.chan and see what's going on, logging everything for law enforcement, issue a /whois
for the "owner" listed on eggdrop.conf, but that's just me.
I hope this is very helpful.
--CC
Current thread:
- Re: NKADM rootkit - Something new?, (continued)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? InfoSec (May 27)
- RE: NKADM rootkit - Something new? Dave Paris (May 28)
- Re: NKADM rootkit - Something new? Tyrano Jones (May 27)