[unisog] .ida worm followup
H. Morrow Lonq
Morrow.Long at yale.edu
Fri Jul 20 19:18:17 GMT 2001
I found a zombie bot on a W2K IIS5 server that had been compromised -
not by CodeRed - earlier this week.
The backdoor executable was
It was connecting out to IRC service port 6667 on irc02.icq.com and
joinïng chat room #kaitex and
awaiting commands to probe and flood hosts on the Internet.
- H. Morrow Long
Christopher Misra wrote:
> To: unisog at sans.org
> Date: Fri, 20 Jul 2001 10:23:37 -0400
> From: Christopher Misra <crispy at nic.umass.edu>
> Subject: [unisog] .ida worm followup
> Yesterday, after getting our first report of .ida like symptoms I blocked
> the compromised hosts at our border. We cleaned the boxes and had the
> admin patch them. I came in this morning and realized we had not removed
> the acl to drop traffic from these hosts. The logs showed the boxes making
> attempted connections to irc servers, which they should not be making.
> I saw the same behavior from a couple of boxes earlier in the week
> comrpomised via IIS-unicode...
> I'm not onsite, so I can't verify the boxes, but may be something to
> keep an eye out for...
> - Chris
> Christopher Misra Network Analyst
> OIT/Network Systems and Services LGRC A153
> University of Massachusetts Amherst, MA 01003
> E-mail: cmisra at nic.umass.edu
More information about the unisog