[unisog] IRCd 6667 followed by 445 SYN scan

Anderson Johnston andy at umbc.edu
Fri Apr 4 18:14:46 GMT 2003


I've got 'bots out the wazoo.  Occasionally they're accompanied by
scanning tools (or by batch files that do "net use" probes for systems
with badly chosen - like blank - passwords).  I haven't spotted this
particular setup (yet).

On Thu, 3 Apr 2003, Harris, Michael C. wrote:

> Any one else seeing compromised machines that are doing outbound SYN
> scans port 445 and are under control via irc port 6667?  blocking the
> 6667 traffic stops the scanning.  Compromised hosts show positive
> infection of W32Kwbot.E.Worm as per NAV but forensics show this as a
> different virus/worm. I have confirmed this is not Deloder or Netspree
> as well.
>
>  A file named "Yes Uninstaller.exe" found on compromised hosts written
> to Windows and system32 directories at the moment of compromise.
>
> 	Created directories:
> 	C:\WINDOWS\System32\drivers\media\cat32
> 	C:\WINDOWS\System32\drivers\media
> 	Installed files:
> 	C:\WINDOWS\System32\drivers\media\cat32\delttsul.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\doskey.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\usrmgr.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\tifflt.dll
> 	C:\WINDOWS\System32\drivers\media\cat32\termsrv.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\TAPI.EXE
> 	C:\WINDOWS\System32\drivers\media\cat32\services.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\rcfg.ini
> 	C:\WINDOWS\System32\drivers\media\cat32\oissq400.dll
> 	C:\WINDOWS\System32\drivers\media\cat32\ntds.dit
> 	C:\WINDOWS\System32\drivers\media\cat32\ntbooks.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\hlink.bat
> 	C:\WINDOWS\System32\drivers\media\cat32\faxocm.bat
> 	C:\WINDOWS\System32\drivers\media\cat32\wmvdmoe2.dll
> 	Created registry values:
> 	Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
> 	Value: Services
>
>
> 	Mike
>
> 	--------------------------------------------------
> 	Michael C Harris
> 	System Security Analyst
> 	University of Missouri Health Center
>
> 	harrismc at health.missouri.edu
> 	--------------------------------------------------
>
>
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list