[unisog] IRC bot outbreaks

Paul Asadoorian Paul_Asadoorian at brown.edu
Thu Jul 25 12:08:24 GMT 2002


We have the same NT/2000 IRC bot/Serv-U Ftp server problem.  We find the
machines in varying states, but always format and re-install the operating
system.  Although the directory c:\winnt\system32\vm32 usually contains most
of the hackers files, we have seen odditities in the recycler and other
places.  The IRC bot iroffer is most common, used to distribute files over
IRC, usually movies/video games.

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912
401.863.7553

PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x41DC7A4F
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F


----- Original Message -----
From: "Wells, Cary" <cary.wells at ualberta.ca>
To: "'Robert Dormer'" <rdormer at pobox.upenn.edu>; <unisog at sans.org>
Sent: Wednesday, July 24, 2002 5:15 PM
Subject: RE: [unisog] IRC bot outbreaks


> we got tagged a while ago with the non admin passworded NT/2000 machines,
> they got backdoored and had irc bots stuck on them.  I mostly just went
and
> deleted the 2 directories and killed the service.  I also did a mass sweep
> of our directory and put passwords on anyonme machines that didn't have
one
> and waited for them to call me and ask why they couldn't login anymore,
then
> I educated them on passwords.  Sometimes just for fun I told them they got
> hacked and lost everything but I usually only let that go for 5 minutes or
> so.
>
> > -----Original Message-----
> > From: Robert Dormer [mailto:rdormer at pobox.upenn.edu]
> > Sent: Wednesday, July 24, 2002 12:29 PM
> > To: unisog at sans.org
> > Subject: [unisog] IRC bot outbreaks
> >
> >
> > Hello all,
> >
> > I'm just curious to know - what experiences have you all had
> > with backdoor trojans like netbus and subseven, and remote
> > controlled IRC bots?  Specifically, have any of you suffered from
> > large outbreaks of them, and if you did, how did you go about
> > containing them and educating users and other administrators
> > about them?
> >
> >
> > Regards,
> > Robert Dormer
> >
> >
> >
> >
>



More information about the unisog mailing list