RE: I think I've been hacked...please help!

From: Pepijn Vissers (vissers@fox-it.com)
Date: Tue Apr 09 2002 - 04:39:31 PDT

Next message: mikedat_private: "AIM Backdoor?"

Previous message: Arnold, Jamie: "RE: I think I've been hacked...please help!"
Next in thread: KoRe MeLtDoWn: "RE: I think I've been hacked...please help!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Jamie,

./I have several machines that are using excessive bandwidth.  Upon
./inspection, I find multiple connections to servers with names like
./irc.badguuy.com, etc... On 6667.  

Well, my first guess is that your machines are 
used for a dDoS, controlled through (modified) eggdrops and
the irc-servers. Did you run a tcpdump to see which channel(s) they
join and with what key? You could use an 'anonimized' machine which
does not lead back to your official network and join the chan, pose
as an eggdrop and do some research. Just wait until you get queried
with commands :)

./Incoming connections are random although 1067 seems to be a common one.  
./I have 4 instances of cmd.exe running and 2
./of win.exe  While it looks like Egghead, the reg entries 
./aren't there nor the directories/files.  

Maybe they pose as other programs. You could try to use some tools
from sysinternals (www.sysinternals.com) or so to examine which program 
is using the socket that is connected to the irc-server.

./What is confusing to me is that one of them uses our Exchange server which
is protected by
./Antigen (and I pull nearly every extension known to man) and 
./McAffee on the desktop.  I can't find anything that matches this. Anyone 
./have any insight?

Not sure. Maybe they don't see eggdrops as a threat / trojan. 
They were in the first place surely never written to be any of those.
Maybe the characteristics of the used programs do not match the definitions
because they are slightly modified. There are serveral ways to circumvent
virusscanners.

Good luck,
P. Vissers

./Thanks
./
./J
./
./--------------------------------------------------------------
./--------------
./This list is provided by the SecurityFocus ARIS analyzer service.
./For more information on this free incident handling, management 
./and tracking system please see: http://aris.securityfocus.com
./

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: mikedat_private: "AIM Backdoor?"
Previous message: Arnold, Jamie: "RE: I think I've been hacked...please help!"
Next in thread: KoRe MeLtDoWn: "RE: I think I've been hacked...please help!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 08:29:44 PDT