Re: Recent IRC attacks

From: adam (agrahamat_private)
Date: Thu Jul 12 2001 - 13:26:23 PDT

  • Next message: John Marquart: "Re: Denial of service attack on port 6667"

    our linux box was hit (attempted).... running hybryid.... IRC server and 
    red hat 7.0.... last night (july 11)
    
    
    
    At 11:06 AM 7/12/2001 -0500, you wrote:
    
    >Anyone seen the recent IRC related attacks?  We were the source
    >and destination for more than one massive flood yesterday.
    >
    >
    >The MO so far seems to be:
    >
    >   + Flood of IP protocol 255 packets from random, poorly admined, Win2K 
    > boxen.
    >
    >   + The attacks seem to be directed almost exclusively at IRC servers.
    >
    >
    >So far, we've found that the hacked Win2K boxes have the following:
    >
    >   BackOriface install as
    >
    >     c:\winnt\java\w.exe
    >
    >   Also, there was a new executable install as
    >
    >     c:\winnt\system32\wlogin.exe
    >
    >   And this was running as a service.
    >
    >
    >Also, the hacked machines seem to be controlled via IRC.  They're
    >connecting to rogue IRC servers running on what appear to be hacked
    >machines on DSL/Cablemodems.
    >
    >
    >If I had to guess how they got this stuff installed, I'd say that it
    >was done via IIS.  None of the hacked machines that I've seen were patched
    >and they were all running IIS.
    >
    >
    >Paul
    >--
    >Paul Dokas                                            dokasat_private
    >======================================================================
    >Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
    >
    >
    >----------------------------------------------------------------------------
    >
    >
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see:
    >
    >http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 13:45:23 PDT