Re: Internet Wide DOS Attack using IRC

From: Kameron Gasso (rootat_private)
Date: Fri Oct 02 1998 - 08:55:18 PDT

Next message: [deicide]: "Re: Internet Wide DOS Attack using IRC"

Previous message: Bencsath Boldizsar: "Re: Internet Wide DOS Attack using IRC"
Maybe in reply to: dbarba: "Internet Wide DOS Attack using IRC"
Next in thread: [deicide]: "Re: Internet Wide DOS Attack using IRC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This might be an unreleased Back Orifice plugin from an internet user who
dislikes GeoCities (only speculation).  Odds are, it was distributed
widely over IRC in a Warez package or something similar.


>    The complete content of the 5845 directory was:  nfo.zip, nfo.jpg,
>     servers.zip, servers.jpg, users.zip and users.jpg.  When I looked at
> the
>     binary files by doing a cat, the users jpg & zip files were the
> same, but the
>     other files were all unique.

>From the names of those files, I'd guess that's a warez pup's account.
Then again, who knows.

>    We did find an entry in his registry with the following setting:
>
>    /microsoft/windowsexplorer/doc/find/spec/mru
>    a) " "
>    b) 5845
>    c) nfo
>    d) bo
>    e) nfo.zip
>    f) winrar
>    g) msvbvm60.dll
>    h) loadwc
>    i) stargate
>    j) area51
>    mrulist) eadcbjihgf

What's the full name of that registry key?  The file msvbvm60.dll looks
like a Visual BASIC runtime library, possibly a Back Orifice plugin of
some sort.

>     I also asked our ISP to help track some of this and this was their
> result.  "All the IP's
>     I've scanned so far from the log have several UDP ports open in the
> 31337 range
>     (what Back Orifice uses)."

This is also why I think it may be a BO plugin.  Unfortunately, these
users have no idea they're helping attack a server, and probably wouldn't
suspect a thing.

>
>    So, we really need to find the source instead of asking everyone to
>    reinstall their OS.  It might also be necessary to inform the various
>
>    virus-detection software vendors to try to eradicate this from all of
>
>    the machines that currently have it installed.

If it's Back Orifice, some virus scanners will already pick it up.  This
still doesn't solve the problem of the plugin, which can be stored in any
file type, text, dll, or binary.


If you do find what it is, please let me know, as I myself am curious.
Thank you.

Sincerely,

Kameron Gasso


Direct legitimate replies to krgat_private - Flames, spams, etc. will
be handled by the little green monster named /dev/null I keep locked away
in my dungeon.

Next message: [deicide]: "Re: Internet Wide DOS Attack using IRC"
Previous message: Bencsath Boldizsar: "Re: Internet Wide DOS Attack using IRC"
Maybe in reply to: dbarba: "Internet Wide DOS Attack using IRC"
Next in thread: [deicide]: "Re: Internet Wide DOS Attack using IRC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:36 PDT