Re: Suspicious joe.exe

From: Blake Frantz (blakeat_private)
Date: Thu Aug 02 2001 - 10:11:46 PDT

Next message: John Thornton: "Remote DoS for pcAnywhere 9.2"

Previous message: Mark L'Italien: "RE: Suspicious joe.exe"
In reply to: Rikul: "Re: Suspicious joe.exe"
Next in thread: Felix Huber: "Re: Suspicious joe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Its an irc bot that is used to do distributed DoS attacks. The
> IRC channel acts command center for all the bots. You could sniff the
> traffic and figure out how to pretend to be irc bot to get into the
> channel. After that you can get IP/userinfo of person controlling
> all the bots. It probably came in email that you opened in outlook.

The majority of the boxes I find infected with such bots have vulnerable
IIS instances or world writable shares -- In addition to mail, might want
to check you patch levels and share permissions too.

-Blake

Next message: John Thornton: "Remote DoS for pcAnywhere 9.2"
Previous message: Mark L'Italien: "RE: Suspicious joe.exe"
In reply to: Rikul: "Re: Suspicious joe.exe"
Next in thread: Felix Huber: "Re: Suspicious joe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:07:29 PDT