[unisog] 'bot file servers?

Joe Pollock pollockj at evergreen.edu
Wed Apr 30 23:01:02 GMT 2003


I don't think my first attempt reached the list because of HTML content.

We just cleaned up a pair of classroom machines that were running Mirc. 
Upon being connected to a port, they would connect to an IRC RoboServ
channel and start high-volume uploads and downloads.  From what I've
seen, they were being remote-controlled.  I haven't had time to finish
the analysis of the data I collected, but if you're interested please
contact me off of the list and I'll send on what I've figured out.

Joe Pollock
Network Services
The Evergreen State College

-----Original Message-----
From: Jane DelFavero [mailto:jane.delfavero at nyu.edu]
Sent: Wednesday, April 30, 2003 1:47 PM
To: unisog at sans.org
Subject: [unisog] 'bot file servers?


Hi all,

We have come up against network behavior that I haven't encountered 
before, and I'd like to hear from anyone who has. We have a couple of 
machines which are pumping out large volumes of data, but it's not 
the normal P2P junk, or IRC, as far as we can see. There's an ICMP 
packet from a remote host, followed by a very large data transfer 
(about the size of an .avi movie file) via UDP back to that remote 
site.

Is this a trojan or backdoor (or other application) that anyone's seen
before?

Thanks, Jane



More information about the unisog mailing list