('binary' encoding is not supported, stored as-is) In-Reply-To: <3CF3E55D.8030702at_private> Hello This post is a perfect example of current script kiddy trends. If you join any of the larger channels on irc.newnet.net, irc.evilsync.net, and so forth, you will see that all of the 'leech fserves' in these channels are compromised windows machines. (usually .edu's). I would wager that these groups are hacking win2k boxes on fast networks en-masse.. using something lame and well known like the Unicode or HTR exploit (for shame!) or possibly the recent .ASP exploit. These groups are compiling their own rootkit/backdoors from well-documented open source utilities such as DSNX (www.dataspy.net). The main function of these backdoors, as you have seen, is to provide remote FTP access to the compromised host (for uploading more 0day warez and DIVX movies), run an identd server if required, and connect to a pre-configured IRC network and channel. The server then acts as an irc Fserve, allowing anyone in the channel to queue up files to download. I would also wager that port 99 is a copy of ncx99.exe - this was used as the default bindport for a couple of win32 exploits (original iishack?) It is a modified version of nc.exe configured to spawn a cmd.exe shell on port 99. This simple backdoor is favored by script kiddies and the like because it does not require any command line arguments. These groups often advertise their efforts in the channel topics on irc.newnet.net - ">100 .edu 100mbit bots! Leech! Latest releases!' They also advertise "we need couriers, dumps, carders, rooters (?), coders and rippers - contact XYZWareZGuy!" Maybe someone should join these channels, #warez-excell etc, and scan all the fserve hosts for ports 99 and 4160... if port 99 is indeed a netcat/cmd.exe backdoor, a script could be written to mass-patch or disable these IRC bots ;) They deserve it for being so damn open about their activites. Warez kids used to have a clue ! i remain ghb > Today i found a windows machine located in our dorms that had >been compromised, but unlike most of the compromised machines i see come >out of the dorms the Admin password was actually set and it was set to >something other than NULL or Administrator. The attacker set up 2 >Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact, >they also installed a warez eggdrop bot that connects to the newnet IRC >Network and servs via the #warez-excell channel. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:47:13 PDT