RE: grc attacks

["James Cox" <james.cox3 () ntlworld com>]

Actually,

the file which was used in the GRC attacks was called rundIl.exe, however,
there are so many Zombie bots, it's quite likely that one wouldn't work.

Best way to find the bots, is to do as Gibson suggests - install Zone Alarm,
and lock the internet. Then, establish the programs which are trying to
connect.. (you'll see that as the alerts pop up) and remove those files.

Also remember to check the win.ini run= command for other possible
references, as well as the registry keys (Start > Run >regedit.exe):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

>   TCP    0.0.0.0:6667           0.0.0.0:0              LISTENING

that is interesting. It almost looks as if you have either a well configured
bot - which doesn't show the ip it's connecting to, or one that's badly
configured, and is not connecting anywhere. Feel free to send me full logs
(type netstat -a at the command prompt), and I'll confirm whether you are
bugged :)

Hope that helps,

James Cox

-----Original Message-----
From: CJ Oakwood [mailto:cj_oakwood () yahoo com]
Sent: 14 June 2001 01:45
To: 'Alicia Laing'; 'Ingersoll, Jared'; 'Casey DeBerry'; 'basics';
'INCIDENTS'
Subject: RE: grc attacks


The file is called RunDIL.exe... (D-I-L not dll)

-----Original Message-----
From: Alicia Laing [mailto:alicia.laing () verizon net]
Sent: Tuesday, June 12, 2001 13:58
To: Ingersoll, Jared; 'Casey DeBerry'; basics; INCIDENTS
Subject: RE: grc attacks


I did the scan and got the same thing. How can i find the bots and
remove.

-----Original Message-----
From: Ingersoll, Jared [mailto:JIngersoll () cswv com]
Sent: Monday, June 11, 2001 10:53 AM
To: 'Casey DeBerry'; basics; INCIDENTS
Subject: RE: grc attacks


Great Article. I checked one of our hosts that has since been moved
completely behind packet filtering and got the following:

C:\>netstat -an | find ":6667"
  TCP    0.0.0.0:6667           0.0.0.0:0              LISTENING

According to Gibson, the 6667 seems to indicate the presence of a bot
used on a IRC network. Agree/Disagree? What's the relevance of 0.0.0.0?

Jared

-----Original Message-----
From: Casey DeBerry [mailto:cdeberry () navidec com]
Sent: Friday, June 08, 2001 11:44 AM
To: basics; INCIDENTS
Subject: grc attacks


Great story from the man behind grc.com.
Steve Gibson's ddos investigation that also covers a little on personal
firewalls, evaluates bots, forensics, etc...

http://grc.com/dos/grcdos.htm

 _________________________________________________________ Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com