Security Incidents mailing list archives
RE: I think I've been hacked...please help!
From: Pepijn Vissers <vissers () fox-it com>
Date: Tue, 9 Apr 2002 13:39:31 +0200
Hi Jamie, ./I have several machines that are using excessive bandwidth. Upon ./inspection, I find multiple connections to servers with names like ./irc.badguuy.com, etc... On 6667. Well, my first guess is that your machines are used for a dDoS, controlled through (modified) eggdrops and the irc-servers. Did you run a tcpdump to see which channel(s) they join and with what key? You could use an 'anonimized' machine which does not lead back to your official network and join the chan, pose as an eggdrop and do some research. Just wait until you get queried with commands :) ./Incoming connections are random although 1067 seems to be a common one. ./I have 4 instances of cmd.exe running and 2 ./of win.exe While it looks like Egghead, the reg entries ./aren't there nor the directories/files. Maybe they pose as other programs. You could try to use some tools from sysinternals (www.sysinternals.com) or so to examine which program is using the socket that is connected to the irc-server. ./What is confusing to me is that one of them uses our Exchange server which is protected by ./Antigen (and I pull nearly every extension known to man) and ./McAffee on the desktop. I can't find anything that matches this. Anyone ./have any insight? Not sure. Maybe they don't see eggdrops as a threat / trojan. They were in the first place surely never written to be any of those. Maybe the characteristics of the used programs do not match the definitions because they are slightly modified. There are serveral ways to circumvent virusscanners. Good luck, P. Vissers ./Thanks ./ ./J ./ ./-------------------------------------------------------------- ./-------------- ./This list is provided by the SecurityFocus ARIS analyzer service. ./For more information on this free incident handling, management ./and tracking system please see: http://aris.securityfocus.com ./ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- I think I've been hacked...please help! Joe Warner (Mar 31)
- Re: I think I've been hacked...please help! Ryan Russell (Apr 01)
- Re: I think I've been hacked...please help! Crist J. Clark (Apr 01)
- Re: I think I've been hacked...please help! Hugo van der Kooij (Apr 01)
- Message not available
- Re: I think I've been hacked...please help! Joe Warner (Apr 01)
- <Possible follow-ups>
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 08)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Pepijn Vissers (Apr 09)
- RE: I think I've been hacked...please help! KoRe MeLtDoWn (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)