RE: grc attacks

From: James Cox (james.cox3at_private)
Date: Thu Jun 14 2001 - 17:10:57 PDT

Next message: Soeren Ziehe: "Re: Huge outgoing ICMP flows"

Previous message: Bryan Andersen: "Re: Huge outgoing ICMP flows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually,

the file which was used in the GRC attacks was called rundIl.exe, however,
there are so many Zombie bots, it's quite likely that one wouldn't work.

Best way to find the bots, is to do as Gibson suggests - install Zone Alarm,
and lock the internet. Then, establish the programs which are trying to
connect.. (you'll see that as the alerts pop up) and remove those files.

Also remember to check the win.ini run= command for other possible
references, as well as the registry keys (Start > Run >regedit.exe):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

>   TCP    0.0.0.0:6667           0.0.0.0:0              LISTENING

that is interesting. It almost looks as if you have either a well configured
bot - which doesn't show the ip it's connecting to, or one that's badly
configured, and is not connecting anywhere. Feel free to send me full logs
(type netstat -a at the command prompt), and I'll confirm whether you are
bugged :)

Hope that helps,

James Cox

-----Original Message-----
From: CJ Oakwood [mailto:cj_oakwoodat_private]
Sent: 14 June 2001 01:45
To: 'Alicia Laing'; 'Ingersoll, Jared'; 'Casey DeBerry'; 'basics';
'INCIDENTS'
Subject: RE: grc attacks


The file is called RunDIL.exe... (D-I-L not dll)

-----Original Message-----
From: Alicia Laing [mailto:alicia.laingat_private]
Sent: Tuesday, June 12, 2001 13:58
To: Ingersoll, Jared; 'Casey DeBerry'; basics; INCIDENTS
Subject: RE: grc attacks


I did the scan and got the same thing. How can i find the bots and
remove.

-----Original Message-----
From: Ingersoll, Jared [mailto:JIngersollat_private]
Sent: Monday, June 11, 2001 10:53 AM
To: 'Casey DeBerry'; basics; INCIDENTS
Subject: RE: grc attacks


Great Article. I checked one of our hosts that has since been moved
completely behind packet filtering and got the following:

C:\>netstat -an | find ":6667"
  TCP    0.0.0.0:6667           0.0.0.0:0              LISTENING

According to Gibson, the 6667 seems to indicate the presence of a bot
used on a IRC network. Agree/Disagree? What's the relevance of 0.0.0.0?

Jared

-----Original Message-----
From: Casey DeBerry [mailto:cdeberryat_private]
Sent: Friday, June 08, 2001 11:44 AM
To: basics; INCIDENTS
Subject: grc attacks


Great story from the man behind grc.com.
Steve Gibson's ddos investigation that also covers a little on personal
firewalls, evaluates bots, forensics, etc...

http://grc.com/dos/grcdos.htm

 _________________________________________________________ Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Soeren Ziehe: "Re: Huge outgoing ICMP flows"
Previous message: Bryan Andersen: "Re: Huge outgoing ICMP flows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 16:06:00 PDT