Trojan? DDOS Bot?

From: Janusat_private
Date: Tue Aug 27 2002 - 01:22:32 PDT

  • Next message: pjat_private: "Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid"

    
     ('binary' encoding is not supported, stored as-is)
    I recogniced some weird connections from my box (w98)
    to other computers. As soon as i connect to the
    internet a connection from local port 1026 to port 6667
    on 65.185.135.125 was established. I connected to that
    server and it is an irc server (MusIRC Internet Relay
    Chat Network). I found a bot using my adress with a
    random name made up of letters. The server
    administrator told me that he has recognized these bots
    coming from many different hosts for quite ome time
    now. They all try to join a channel named #nutz on that
    server. He has seen people giving commands to those
    bots so he closed down the channel. They give a msg
    after kicked "Fuck you <name of the person that has
    kicked them>. To version request they reply with
    something like that too. I checked for open ports on my
    box and found 113 open. A few days ago i deleted a
    net-devil v.1.4 from my system. Not sure if that has
    anything to do with that. After installing a freeware
    firewall to see what it will do if i blocked its
    outgoing port and deleting it afterwards it just
    changed the outgoing port. As i am typing this a
    netstat -an reveals
    
    TCP    0.0.0.0:1301           0.0.0.0:0             
    LISTENING
      TCP    0.0.0.0:1705           0.0.0.0:0             
    LISTENING
      TCP    127.0.0.1:1027         0.0.0.0:0             
    LISTENING
      TCP    127.0.0.1:1704         0.0.0.0:0             
    LISTENING
      TCP    127.0.0.1:1704         127.0.0.1:1705        
    ESTABLISHED
      TCP    127.0.0.1:1705         127.0.0.1:1704        
    ESTABLISHED
      TCP    217.84.185.171:1301    65.185.135.125:6667   
    ESTABLISHED
      UDP    127.0.0.1:1027         *:*                    
    
    
    I couldnt find a freeware tool to find out which
    process is using this specific irc connection, nor did
    a scan with f-prot or housecall or panda reveal any
    viral or trojan activity.
    
    Any help or info would be really appreciated. Thanks in
    advance
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 11:08:09 PDT