('binary' encoding is not supported, stored as-is) In-Reply-To: <20020827082232.885.qmailat_private> Hey, seems if hacking boxes and letting bots there is a new sport. http://www.honeynet.ch/reports/openbsd.php Here are some hacker talking about their bot on all the hacked boxes. (the long irc dialog) This is on open-bsd but i think same happens on windows. They break in and install a bot and a rootkit...so do not trust your box. It seems compromized. Will Tell >From: <Janusat_private> >To: incidentsat_private >Subject: Trojan? DDOS Bot? > > > >I recogniced some weird connections from my box (w98) >to other computers. As soon as i connect to the >internet a connection from local port 1026 to port 6667 >on 65.185.135.125 was established. I connected to that >server and it is an irc server (MusIRC Internet Relay >Chat Network). I found a bot using my adress with a >random name made up of letters. The server >administrator told me that he has recognized these bots >coming from many different hosts for quite ome time >now. They all try to join a channel named #nutz on that >server. He has seen people giving commands to those >bots so he closed down the channel. They give a msg >after kicked "Fuck you <name of the person that has >kicked them>. To version request they reply with >something like that too. I checked for open ports on my >box and found 113 open. A few days ago i deleted a >net-devil v.1.4 from my system. Not sure if that has >anything to do with that. After installing a freeware >firewall to see what it will do if i blocked its >outgoing port and deleting it afterwards it just >changed the outgoing port. As i am typing this a >netstat -an reveals > >TCP 0.0.0.0:1301 0.0.0.0:0 >LISTENING > TCP 0.0.0.0:1705 0.0.0.0:0 >LISTENING > TCP 127.0.0.1:1027 0.0.0.0:0 >LISTENING > TCP 127.0.0.1:1704 0.0.0.0:0 >LISTENING > TCP 127.0.0.1:1704 127.0.0.1:1705 >ESTABLISHED > TCP 127.0.0.1:1705 127.0.0.1:1704 >ESTABLISHED > TCP 217.84.185.171:1301 65.185.135.125:6667 >ESTABLISHED > UDP 127.0.0.1:1027 *:* > > >I couldnt find a freeware tool to find out which >process is using this specific irc connection, nor did >a scan with f-prot or housecall or panda reveal any >viral or trojan activity. > >Any help or info would be really appreciated. Thanks in >advance > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 13:27:34 PDT