[Intrusions] IRC bot on MacOS

Smith, Donald Donald.Smith at qwest.com
Wed Apr 27 15:30:40 GMT 2005 

psybnc was almost certainly installed from a tar image so creation date
of the binary won't help much.
Upper level directories were modified to create the directory psybnc was
installed in so with a little work this will work just don't rely on the
date of psybnc its self.


donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Roger Roberts
> Sent: Saturday, April 23, 2005 6:34 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: Re[2]: [Intrusions] IRC bot on MacOS
> 
> 
> Andrew,
> 
> Not sure if you have looked for files that were 
> Modified/Accessed/Created in the simular time frame as the psybnc. 
> This would possibly give you some idea if there are other 
> files that are associated/installed.
> 
> Also if the hard drive can be mounted from another OS like 
> linux that would be another good way to see if there are 
> other files that may be
> hidden by the Mac OS.    I am pretty sure a dd would work for a image
> creation even if it is live/running, since Mac is based on BSD.
> 
> 
> RWR
> 
> 
> On 4/22/05, Benjamin Koch <BK-D at gmx.de> wrote:
> > Hello Donald,
> > 
> > The program called "psybnc" is an IRC bouncer - also known 
> as an "IRC 
> > proxy". It is only for hiding the original IP address of the user 
> > connected to the IRC network, keep a channel or the user IRC modes.
> > It is also useful because it is like an "answerphone" for offline
> > users.
> > 
> > It contains no malicious code - i use it too (for security 
> reasons...)
> > 
> > The only matter to be suspicious to this kind of program 
> is: You or an 
> > other friendly person with local/ssh access didn't install 
> it. Maybe 
> > it is an intruder's work to use your MAC sys as a proxy for maybe a 
> > Botnet controlling channel.
> > 
> > Best solution is to check if this is installed by a friend or 
> > intruder. See the psybnc.conf in the installed directory for more 
> > informations: Login data, network and channel names where 
> the bouncer 
> > is active are saved there.
> > 
> > I hope i could help you
> > 
> > --
> > Best regards,
> >  Benjamin                            mailto:BK-D at gmx.de
> > 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org 
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list