Mike, I received word of something similar from one of my opers on February 17th. Ancient, an operator from irc.bigpond.com, notified irc.webchat.org's nohack team about this: <Ancient> just for your info a new trojan / drone is making rounds and it may be hard to sport on CR <Ancient> the ident = javauser <Ancient> full name follows pattern 99999 1 <Ancient> the nicknames resemble first names and seem to be derived from some nick dictionary <Ancient> we run CR and we observed it growing very fast <Ancient> few connections on saturday to 100s today <Ancient> I noticed heaps of them on Undernet but they are too ignorant to care <Ancient> i posted an IRC CERT notice but it seems delayed <Ancient> how many lines can I post here before getting done for flooding? <Ancient> as I'm about to send a fragment of perl code that can detect this bot, if you know how to code using net::irc <Ancient> # exploit pattern ident:javauser real:99999 9 <Ancient> my (@realwords) = split(" ",$real); <Ancient> if ($ident =~ /^javauser$/) { <Ancient> if ($nickname !~ /^guest[[:digit:]]{5}$/i) { <Ancient> if ($realwords[1] =~ /^[[:digit:]]{4,5}$/) { <Ancient> if ($realwords[2] =~ /^[[:digit:]]{1}$/) { <Ancient> &akill($self, $nickname, $host,"Exploit\:javauser"); <Ancient> } } } } <Ancient> richard, if you got my previous info re:javauser trojan, there is one more fact about it - it never seems to be using port 7000 You might want to consider subscribing to irc-cert at http://cert-irc.cyberabuse.org/ Cheers, Alex Lambert irc.liveharmony.org alambertat_private Mike Parkin wrote: > Not often I post to the list. > > Lately the IRC network I help run (away from work) has seen a large > number of host connections with a pattern similar to numerous other > trojan/malware infections that have an IRC element. Namely: Similar > nicks, user@, and real name fields. In this case the nicks are all > one > of several similar patterns (repeats lead us to believe it may be > chosen from a list), the User@ is always javauser@ (I haven't > actually seen a legitimate java client with this ident, though there > may well be one.) > and the Real Name field is always a pattern of "nnnnn 1" where nnnnn > is > a five digit random number. ---------------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 09:08:24 PDT