our linux box was hit (attempted).... running hybryid.... IRC server and red hat 7.0.... last night (july 11) At 11:06 AM 7/12/2001 -0500, you wrote: >Anyone seen the recent IRC related attacks? We were the source >and destination for more than one massive flood yesterday. > > >The MO so far seems to be: > > + Flood of IP protocol 255 packets from random, poorly admined, Win2K > boxen. > > + The attacks seem to be directed almost exclusively at IRC servers. > > >So far, we've found that the hacked Win2K boxes have the following: > > BackOriface install as > > c:\winnt\java\w.exe > > Also, there was a new executable install as > > c:\winnt\system32\wlogin.exe > > And this was running as a service. > > >Also, the hacked machines seem to be controlled via IRC. They're >connecting to rogue IRC servers running on what appear to be hacked >machines on DSL/Cablemodems. > > >If I had to guess how they got this stuff installed, I'd say that it >was done via IIS. None of the hacked machines that I've seen were patched >and they were all running IIS. > > >Paul >-- >Paul Dokas dokasat_private >====================================================================== >Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." > > >---------------------------------------------------------------------------- > > >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: > >http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 13:45:23 PDT