[unisog] Infected windows boxes with IRC controlled trojans on them

Allen Chang allen at rescomp.berkeley.edu
Thu Apr 11 04:35:39 GMT 2002


I'm not too savvy with IRC but it probably isn't too hard to jump in the
IRC channel that is used for the gtbot control and watch the botmaster
control and possibly trace the IP even.

I'm pretty sure that one of the ways that the computers were compromised
was by using PSExec
<http://www.sysinternals.com/ntw2k/freeware/psexec.shtml> On computers
that don't have an Administrator password set, it's almost trivial to have
the computer download and install gtbot. The computer logs onto irc, start
the MS telnet service and you have complete control. From what I've seen
on this list, sua.bat varies. The ones we have found are very sparse and
only do the bare minimum.

Anyone have other ideas?

@llen
Network Security
Residential Computing
UC Berkeley

On Wed, 10 Apr 2002, Huba Leidenfrost wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> My apologies BTW for the funky attachment from my previous message.
> I should have referred to it or sent it to anyone that wanted a copy.
>  Believe me I wasn't trying to massage everyone's MTAs in order to
> find out what type of anti-virus gateway protection is being used.
>
> I'm of the opinion that I will have to put up a honeypot pronto and
> set the administrator password to abc123 and see who comes knocking.
> Perhaps I can solve this puzzle.
>
> - -Huba
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPLTEp0pG2S0cMeJwEQJ/swCg6O2XrvGkUOVBiWguV6Cgm5Uky58AoPjB
> i3Zy1aTt6pIxQM8nerWNvYT/
> =PdZx
> -----END PGP SIGNATURE-----
>
>



More information about the unisog mailing list