Hi Jamie, ./I have several machines that are using excessive bandwidth. Upon ./inspection, I find multiple connections to servers with names like ./irc.badguuy.com, etc... On 6667. Well, my first guess is that your machines are used for a dDoS, controlled through (modified) eggdrops and the irc-servers. Did you run a tcpdump to see which channel(s) they join and with what key? You could use an 'anonimized' machine which does not lead back to your official network and join the chan, pose as an eggdrop and do some research. Just wait until you get queried with commands :) ./Incoming connections are random although 1067 seems to be a common one. ./I have 4 instances of cmd.exe running and 2 ./of win.exe While it looks like Egghead, the reg entries ./aren't there nor the directories/files. Maybe they pose as other programs. You could try to use some tools from sysinternals (www.sysinternals.com) or so to examine which program is using the socket that is connected to the irc-server. ./What is confusing to me is that one of them uses our Exchange server which is protected by ./Antigen (and I pull nearly every extension known to man) and ./McAffee on the desktop. I can't find anything that matches this. Anyone ./have any insight? Not sure. Maybe they don't see eggdrops as a threat / trojan. They were in the first place surely never written to be any of those. Maybe the characteristics of the used programs do not match the definitions because they are slightly modified. There are serveral ways to circumvent virusscanners. Good luck, P. Vissers ./Thanks ./ ./J ./ ./-------------------------------------------------------------- ./-------------- ./This list is provided by the SecurityFocus ARIS analyzer service. ./For more information on this free incident handling, management ./and tracking system please see: http://aris.securityfocus.com ./ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 08:29:44 PDT