I have done my own investigation about it; First it's not Back Orifice, it's another fuck*** trojan, spread by a DCC bot on EFnet (#warez950-dcc). When it's installed this is request 3 files on Geocities! (configuration) After, the trojan start an irc session on EFNet. The first channel was #^C^CHaVoC^B^B with a key, when they discover the presence of intruder they have changed the channel (#^_^_HaVoC^B^B) And since 1-2 weeks the channel is empty and when i start my laptop (infected) I see, on the monitoring screen of my server, some connection on Geocities this is retrieve a file and this is return a 404 url not found. When a clone (Havoc call an infected computer a "Drone") is connected on irc anybody can control this with Private msg command (.join #chan, .part, .do [raw command]). 2-3 week ago the infected chan get about 500-700 drones (stable). My personnal estimation of infected computer it's 15000+. With 500 "clones" they can easily split an irc server with the command MOTD :irc.server.net (.do raw command). To see if you are infected do CTRL-ALT-DEL in windows and if you have a process called OCE it's the Havoc's trojan :] remove it in your system directory usualy c:\windows\system Samuel Cossette -----Original Message----- From: dbarba <dbarbaat_private> To: BUGTRAQat_private <BUGTRAQat_private> Date: 2 octobre, 1998 18:09 Subject: Internet Wide DOS Attack using IRC > Please forward this on to the appropriate people if necessary. > > GeoCities is currently experiencing a DOS attack that appears to be > spread by a trojan horse in a mIRC script. > > GeoCities is receiving thousands of HTTP requests from thousands of > unique computers daily for a file that no longer exists on our >servers. > The specific count for one minute on Friday, September 25 at 10:17 am > > was 3,522 hits, > > 1,492 of them were from unique IP's. For the time period of 3 am to >10:17am > on 9/25 we had 3,562 unique IPs request this one file. It does not >appear to be > specifically requested by the user of that computer. This request >uses > no browser and is usually requesting the file every 30 seconds while >the > user is connected to the Internet. The requests are coming from >around > the world and have been slowly building up since at least August 18, > 1998 (the farthest back our access logs go). > > The attack is requesting a file from our site: > > http://www.geocities.com/Area51/Stargate/5845/nfo.zip > > The complete content of the 5845 directory was: nfo.zip, nfo.jpg, > servers.zip, servers.jpg, users.zip and users.jpg. When I looked at >the > binary files by doing a cat, the users jpg & zip files were the >same, but the > other files were all unique. > > It does not use a browser or store cookies. At the moment, the file >being > requested is of zero size. When there is a file of size , originally >it was 8k > and I later inserted a short note to contact me regarding the attack >into the > nfo.zip file, at which time the attack becomes much worse on the >Windows > machines that are requesting the file. > > Also, an odd note, there are a couple machines that are requesting >the file named > nfo.jpg. Those are reqeusted every minute instead of every 30 >seconds. > > I have contacted a user that complained about GeoCities attacking >him. > In reality, his computer was asking for the nfo.zip file from us >every > 30 seconds, and that was flooding his connection to the internet. I > have worked with him closely since he found the problem. He only >uses > IRC. In fact, the first time he visited our website is after the >attack > started, when he was looking for a contact name and number. He does >not > surf the internet. He has subsequently reinstalled his OS and that >has > completely stopped the attack. > > We did find an entry in his registry with the following setting: > > /microsoft/windowsexplorer/doc/find/spec/mru > a) " " > b) 5845 > c) nfo > d) bo > e) nfo.zip > f) winrar > g) msvbvm60.dll > h) loadwc > i) stargate > j) area51 > mrulist) eadcbjihgf > > When the user deleted the registry entry, the attack from his >machine > went from 1 GET every 30 seconds to 1 GET every second. After about >10 > minutes, it started slowing up and finally settled into about 1 GET > every 17-20 seconds. > > I also asked our ISP to help track some of this and this was their >result. "All the IP's > I've scanned so far from the log have several UDP ports open in the >31337 range > (what Back Orifice uses)." > > So, we really need to find the source instead of asking everyone to > reinstall their OS. It might also be necessary to inform the various > > virus-detection software vendors to try to eradicate this from all of > > the machines that currently have it installed. > > Thank you for your help, > > Debbie Barba > SysAdmin > dbarbaat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:37 PDT