[unisog] 'bot file servers?
pollockj at evergreen.edu
Wed Apr 30 23:01:02 GMT 2003
I don't think my first attempt reached the list because of HTML content.
We just cleaned up a pair of classroom machines that were running Mirc.
Upon being connected to a port, they would connect to an IRC RoboServ
channel and start high-volume uploads and downloads. From what I've
seen, they were being remote-controlled. I haven't had time to finish
the analysis of the data I collected, but if you're interested please
contact me off of the list and I'll send on what I've figured out.
The Evergreen State College
From: Jane DelFavero [mailto:jane.delfavero at nyu.edu]
Sent: Wednesday, April 30, 2003 1:47 PM
To: unisog at sans.org
Subject: [unisog] 'bot file servers?
We have come up against network behavior that I haven't encountered
before, and I'd like to hear from anyone who has. We have a couple of
machines which are pumping out large volumes of data, but it's not
the normal P2P junk, or IRC, as far as we can see. There's an ICMP
packet from a remote host, followed by a very large data transfer
(about the size of an .avi movie file) via UDP back to that remote
Is this a trojan or backdoor (or other application) that anyone's seen
More information about the unisog