Look for the file psybnc.conf. There you can find the host they are using to connect your machine. USER1.OP.ENTRY= something There you can find witch channels they use and so on. -Tommi ----- Original Message ----- From: "Chris Huseman" <ChrisH@A-t-g.com> To: "'Andrew Heath'" <ah228at_private> Cc: <incidentsat_private> Sent: Thursday, June 21, 2001 4:28 PM Subject: RE: New maniac rootkit > > -rwxr-xr-x 1 root root 44313 Apr 2 15:24 bnc > > - Bot Net Client? bnc.conf mentions port 6667 > > -rw-r--r-- 1 root ftp 52 May 11 08:19 bnc.conf > > - bnc's config file > > > > I also know it's making IRC connections, plus has at least one > > rootshell running. I can't confirm this without modifying bits > > of the box, to replace ps with a known good copy, and I can't do > > that until one of my colleagues looks at it to get first hand > > experience. > > > BNC is an IRC proxy. See: http://www.gotbnc.com > > You may be able to get more info on your intruder by seeing who it is that > is using that bnc.. find a clean copy of netstat and look at the port > bnc.conf says its listening on. > > -chris
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 18:18:18 PDT