Trojan? DDOS Bot?

From: Janusat_private
Date: Tue Aug 27 2002 - 01:22:32 PDT

Next message: pjat_private: "Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid"

Previous message: Gary R. Porter: "Anyone seen this?"
Next in thread: Mike Parkin: "Re: Trojan? DDOS Bot?"
Reply: Mike Parkin: "Re: Trojan? DDOS Bot?"
Reply: Christopher Cramer: "Re: Trojan? DDOS Bot?"
Reply: Brooke, O'neil (EXP): "RE: Trojan? DDOS Bot?"
Reply: Richman, Samuel : "Re: Trojan? DDOS Bot?"
Reply: Will Tell: "Re: Trojan? DDOS Bot?"
Reply: Erik Sperling Johansen: "Re: Trojan? DDOS Bot?"
Reply: Dragos Ruiu: "Re: Trojan? DDOS Bot?"
Reply: Michael J McCafferty: "Re: Trojan? DDOS Bot?"
Reply: YAO,TONY (HP-NewZealand,ex1): "RE: Trojan? DDOS Bot?"
Reply: David LeBlanc: "RE: Trojan? DDOS Bot?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) I recogniced some weird connections from my box (w98) to other computers. As soon as i connect to the internet a connection from local port 1026 to port 6667 on 65.185.135.125 was established. I connected to that server and it is an irc server (MusIRC Internet Relay Chat Network). I found a bot using my adress with a random name made up of letters. The server administrator told me that he has recognized these bots coming from many different hosts for quite ome time now. They all try to join a channel named #nutz on that server. He has seen people giving commands to those bots so he closed down the channel. They give a msg after kicked "Fuck you <name of the person that has kicked them>. To version request they reply with something like that too. I checked for open ports on my box and found 113 open. A few days ago i deleted a net-devil v.1.4 from my system. Not sure if that has anything to do with that. After installing a freeware firewall to see what it will do if i blocked its outgoing port and deleting it afterwards it just changed the outgoing port. As i am typing this a netstat -an reveals TCP 0.0.0.0:1301 0.0.0.0:0 LISTENING TCP 0.0.0.0:1705 0.0.0.0:0 LISTENING TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING TCP 127.0.0.1:1704 0.0.0.0:0 LISTENING TCP 127.0.0.1:1704 127.0.0.1:1705 ESTABLISHED TCP 127.0.0.1:1705 127.0.0.1:1704 ESTABLISHED TCP 217.84.185.171:1301 65.185.135.125:6667 ESTABLISHED UDP 127.0.0.1:1027 *:* I couldnt find a freeware tool to find out which process is using this specific irc connection, nor did a scan with f-prot or housecall or panda reveal any viral or trojan activity. Any help or info would be really appreciated. Thanks in advance ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: pjat_private: "Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid"
Previous message: Gary R. Porter: "Anyone seen this?"
Next in thread: Mike Parkin: "Re: Trojan? DDOS Bot?"
Reply: Mike Parkin: "Re: Trojan? DDOS Bot?"
Reply: Christopher Cramer: "Re: Trojan? DDOS Bot?"
Reply: Brooke, O'neil (EXP): "RE: Trojan? DDOS Bot?"
Reply: Richman, Samuel : "Re: Trojan? DDOS Bot?"
Reply: Will Tell: "Re: Trojan? DDOS Bot?"
Reply: Erik Sperling Johansen: "Re: Trojan? DDOS Bot?"
Reply: Dragos Ruiu: "Re: Trojan? DDOS Bot?"
Reply: Michael J McCafferty: "Re: Trojan? DDOS Bot?"
Reply: YAO,TONY (HP-NewZealand,ex1): "RE: Trojan? DDOS Bot?"
Reply: David LeBlanc: "RE: Trojan? DDOS Bot?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 11:08:09 PDT