mailing list archives
Re: Internet Wide DOS Attack using IRC
From: root () LOCKDOWN NET (Kameron Gasso)
Date: Fri, 2 Oct 1998 15:55:18 +0000
This might be an unreleased Back Orifice plugin from an internet user who
dislikes GeoCities (only speculation). Odds are, it was distributed
widely over IRC in a Warez package or something similar.
The complete content of the 5845 directory was: nfo.zip, nfo.jpg,
servers.zip, servers.jpg, users.zip and users.jpg. When I looked at
binary files by doing a cat, the users jpg & zip files were the
same, but the
other files were all unique.
From the names of those files, I'd guess that's a warez pup's account.
Then again, who knows.
We did find an entry in his registry with the following setting:
a) " "
What's the full name of that registry key? The file msvbvm60.dll looks
like a Visual BASIC runtime library, possibly a Back Orifice plugin of
I also asked our ISP to help track some of this and this was their
result. "All the IP's
I've scanned so far from the log have several UDP ports open in the
(what Back Orifice uses)."
This is also why I think it may be a BO plugin. Unfortunately, these
users have no idea they're helping attack a server, and probably wouldn't
suspect a thing.
So, we really need to find the source instead of asking everyone to
reinstall their OS. It might also be necessary to inform the various
virus-detection software vendors to try to eradicate this from all of
the machines that currently have it installed.
If it's Back Orifice, some virus scanners will already pick it up. This
still doesn't solve the problem of the plugin, which can be stored in any
file type, text, dll, or binary.
If you do find what it is, please let me know, as I myself am curious.
Direct legitimate replies to krg () lockdown net - Flames, spams, etc. will
be handled by the little green monster named /dev/null I keep locked away
in my dungeon.