A friend of mine lost his DSL line due to a denial of server attack... we managed to find the owner of one of the ip addresses, and they were very cooperative with us.. attack: 20:19:38.488323 61.215.165.200.3276 > 200.43.45.132.1915: udp 801 Information from infected host: Active Connections Proto Local Address Foreign Address State TCP 61.215.165.200:445 200.43.216.58:4286 ESTABLISHED TCP 61.215.165.200:1029 152.98.204.61:6667 ESTABLISHED [variables] n0=%server orgazmo.wxmail.net n1=%timeout 5 n2=%chan #!HardBall Official Name: orgazmo.wxmail.net IP Address: 152.98.204.61 It's another mIRC based DDoS trojan that scans for NT-Password and IIS unicode exploits. So the next questions is... How do we go about apprehending the culprits? Can we somehow get wxmail.net revoked? Apparently the DoS attacks caused a lot of damage for my buddy's isp, and many of their customers were affected. Needless to say his servive was revoked. I have seen a lot of these mIRC based trojans, and they seem to be getting more and more rampant every day...like roaches... Other people I have worked with have been seeing the same trends, are there any active organizations work against these 'IRC bots' ? Any information is appreciated Sincerely, G. R. Wolf infatech security team ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:47:28 PST