Recent IRC attacks

From: Paul Dokas (dokasat_private)
Date: Thu Jul 12 2001 - 09:06:55 PDT

  • Next message: Scott Nursten: "Re: TCP Src 5635: what is it?"

    Anyone seen the recent IRC related attacks?  We were the source
    and destination for more than one massive flood yesterday.
    
    
    The MO so far seems to be:
    
      + Flood of IP protocol 255 packets from random, poorly admined, Win2K boxen.
    
      + The attacks seem to be directed almost exclusively at IRC servers.
    
    
    So far, we've found that the hacked Win2K boxes have the following:
    
      BackOriface install as
    
        c:\winnt\java\w.exe
    
      Also, there was a new executable install as
    
        c:\winnt\system32\wlogin.exe
    
      And this was running as a service.
    
    
    Also, the hacked machines seem to be controlled via IRC.  They're
    connecting to rogue IRC servers running on what appear to be hacked
    machines on DSL/Cablemodems.
    
    
    If I had to guess how they got this stuff installed, I'd say that it
    was done via IIS.  None of the hacked machines that I've seen were patched
    and they were all running IIS.
    
    
    Paul
    -- 
    Paul Dokas                                            dokasat_private
    ======================================================================
    Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:21:33 PDT