Vulnerability Development mailing list archives

Re: Suspicious joe.exe

From: Blake Frantz <blake () mc net>
Date: Thu, 2 Aug 2001 12:11:46 -0500 (CDT)

Its an irc bot that is used to do distributed DoS attacks. The
IRC channel acts command center for all the bots. You could sniff the
traffic and figure out how to pretend to be irc bot to get into the
channel. After that you can get IP/userinfo of person controlling
all the bots. It probably came in email that you opened in outlook.


The majority of the boxes I find infected with such bots have vulnerable
IIS instances or world writable shares -- In addition to mail, might want
to check you patch levels and share permissions too.

-Blake

Current thread:

Suspicious joe.exe Reb (Aug 01)
- Re: Suspicious joe.exe Rikul (Aug 02)
  - Re: Suspicious joe.exe Blake Frantz (Aug 02)
- Re: Suspicious joe.exe Felix Huber (Aug 02)
- Re: Suspicious joe.exe Josh Smith (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
  - RE: Suspicious joe.exe Reb (Aug 02)
- <Possible follow-ups>
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
  - RE: Suspicious joe.exe Mark L'Italien (Aug 02)
    - RE: Suspicious joe.exe Bo Stark (Aug 02)
    - Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
  - RE: Suspicious joe.exe Haul (Aug 02)

(Thread continues...)