Well, the kaiten.c DDoS comes to mind. it's an updated knight.c DoS that someone has simply renamed to joe when they compiled it...or maybe they added to it. basically, from what i know of it (which is admittedly very little since ive never seen it near me) is that you've been zombie-fied. for IRC DDoS. I also dont know the "cleaning" process offhand, but im sure symantec or someone has one since the source for kaiten.c is readily available everywhere. (packetstorm) do me a favor, plz analyze it with everything you can get your hands on. just to make sure "joe" didnt add to kaiten. I would check your logs and start from there... shouldnt be too hard since the box is 2 weeks old, right? If you need help analyzing the logs, ill help any way i can. we all will :) but you've most certainly been compromised = my guess. 1. is it a production box? internet facing? web server? what is it?... -oliver p. > -----Original Message----- > From: Reb [mailto:rebat_private] > Sent: Thursday, August 02, 2001 1:22 AM > To: VULN-DEV List > Subject: Suspicious joe.exe > > > Greetings all, > > While troubleshooting a problem with Win2k server doing a > hard lock ( no > response to keyboard/mouse) I happened upon the Run key > (SOFTWARE\Microsoft\Windows\CurrentVersion\Run\) and noticed > that joe.exe > was being started. Being that this box was no more than 2 > weeks old I found > this highly odd since it wasn't being loaded as a service and > whatnot. So > I'm done dealing with the 2k server hang for a bit and I > start looking at > this file. After I've googled and bugtraq'd my way around I can't find > anything that mentions such a Trojan/virus. It seems to be > some type of irc > client that connects to 205.188.253.230 and joins #penr0x, > which is +I. If > asked I can gzip/zip up the file and send it to someone. If > anyone has any > insight to this I'd love to hear from you. Here's a bit of > information on > the exe. > > [reb@ reb]$ ls -al joe.exe > -rw-r--r-- 1 reb reb 53248 Aug 1 17:58 joe.exe > [reb@ reb]$ md5sum joe.exe > 488c80ba0b2186a1ba52c4e69c590bc6 joe.exe > > Some of the more useful strings from `strings joe.exe` are: > > Microsoft Visual C++ Runtime Library > Runtime Error! > Program: > <program name unknown> > SunMonTueWedThuFriSat > JanFebMarAprMayJunJulAugSepOctNovDec > GetLastActivePopup > GetActiveWindow > MessageBoxA > NICK > VERSION > KILL > HELP > PRIVMSG > PING > NOTICE %s :DNS <host> > NOTICE %s :Resolving %s... > NOTICE %s :Unable to resolve. > NOTICE %s :Resolved to %s. > NOTICE %s :GET <host> <save as> > NOTICE %s :Unable to create socket. > http:// > NOTICE %s :Unable to resolve address. > NOTICE %s :Unable to connect to http. > GET /%s HTTP/1.0 > Connection: Keep-Alive > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) > Host: %s:80 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > image/png, */* > Accept-Encoding: gzip > Accept-Language: en > Accept-Charset: iso-8859-1,*,utf-8 > NOTICE %s :Receiving file. > NOTICE %s :Saved as %s > NOTICE %s :Voyager Alpha Force: Age of Kaiten > NOTICE %s :NICK <nick> > NOTICE %s :Nick cannot be larger than 9 characters. > NICK %s > NOTICE %s :UDP <target> <secs> > NOTICE %s :GET <http address> <save as> = Downloads a file off the > web and saves it onto the hd > NOTICE %s :NICK <nick> = Changes the nick of the knight > NOTICE %s :DNS <host> = DNSs a host > NOTICE %s :IRC <command> = Sends this command to the server > NOTICE %s :KILL = Kills the knight > NOTICE %s :VERSION = Requests version of knight > NOTICE %s :HELP = Displays this > IRC > SYSTEM > HIDE > SHOW > MODE %s -xi > JOIN %s : > WHO %s > PONG %s > SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ > TaskReg > #penr0x > 205.188.253.230 > NICK %s > USER %s localhost localhost :%s > ERROR > > > Reb >
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 10:23:12 PDT