[unisog] .ida worm followup

H. Morrow Lonq Morrow.Long at yale.edu
Fri Jul 20 19:18:17 GMT 2001


I found a zombie bot on a W2K IIS5 server that had been compromised - 
not by CodeRed - earlier this week.

The backdoor executable was
\winnt\system32\kaitex.exe

It was connecting out to IRC service port 6667 on irc02.icq.com and 
joinïng chat room #kaitex  and
awaiting commands to probe and flood hosts on the Internet.

- H. Morrow Long

Christopher Misra wrote:

> To: unisog at sans.org
> Date: Fri, 20 Jul 2001 10:23:37 -0400
> From: Christopher Misra <crispy at nic.umass.edu>
> Subject: [unisog] .ida worm followup
> 
> Hi,
> 
> Yesterday, after getting our first report of .ida like symptoms I blocked
> the compromised hosts at our border. We cleaned the boxes and had the
> admin patch them. I came in this morning and realized we had not removed
> the acl to drop traffic from these hosts. The logs showed the boxes making
> attempted connections to irc servers, which they should not be making.
> I saw the same behavior from a couple of boxes earlier in the week
> comrpomised via IIS-unicode...
> 
> I'm not onsite, so I can't verify the boxes, but may be something to
> keep an eye out for...
> 
> 				- Chris
> 
> --
> Christopher Misra                                    Network Analyst
> OIT/Network Systems and Services                        LGRC A153
> University of Massachusetts                         Amherst, MA  01003
> E-mail: cmisra at nic.umass.edu



More information about the unisog mailing list