Janus, To find the process on your windows box, try using "fport" Available at Foundstone's web site. It is similar to "lsof" for *nix boxes. http://www.foundstone.com/knowledge/proddesc/fport.html Once you find it, you should try to identify it and look it up to remove any other files associated with the infection. Good Luck, Mike At 08:22 AM 8/27/2002 +0000, Janusat_private wrote: >I recogniced some weird connections from my box (w98) >to other computers. As soon as i connect to the >internet a connection from local port 1026 to port 6667 >on 65.185.135.125 was established. I connected to that >server and it is an irc server (MusIRC Internet Relay >Chat Network). I found a bot using my adress with a >random name made up of letters. The server >administrator told me that he has recognized these bots >coming from many different hosts for quite ome time >now. They all try to join a channel named #nutz on that >server. He has seen people giving commands to those >bots so he closed down the channel. They give a msg >after kicked "Fuck you <name of the person that has >kicked them>. To version request they reply with >something like that too. I checked for open ports on my >box and found 113 open. A few days ago i deleted a >net-devil v.1.4 from my system. Not sure if that has >anything to do with that. After installing a freeware >firewall to see what it will do if i blocked its >outgoing port and deleting it afterwards it just >changed the outgoing port. As i am typing this a >netstat -an reveals > >TCP 0.0.0.0:1301 0.0.0.0:0 >LISTENING > TCP 0.0.0.0:1705 0.0.0.0:0 >LISTENING > TCP 127.0.0.1:1027 0.0.0.0:0 >LISTENING > TCP 127.0.0.1:1704 0.0.0.0:0 >LISTENING > TCP 127.0.0.1:1704 127.0.0.1:1705 >ESTABLISHED > TCP 127.0.0.1:1705 127.0.0.1:1704 >ESTABLISHED > TCP 217.84.185.171:1301 65.185.135.125:6667 >ESTABLISHED > UDP 127.0.0.1:1027 *:* > > >I couldnt find a freeware tool to find out which >process is using this specific irc connection, nor did >a scan with f-prot or housecall or panda reveal any >viral or trojan activity. > >Any help or info would be really appreciated. Thanks in >advance > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ************************************************** Michael J. McCafferty M5 Computer Security 858-576-7325 Voice PGP Key ID: 0x2206347F http://www.m5computersecurity.com ************************************************** --- "If you build it, they will hack !" --- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 13:43:29 PDT