These are all open proxy (port 1080) hosts. These can act as a proxy
for irc. I doubt any of them are compromised, although they are
misconfigured to allow outside connectivity through. There is not much you
can do since most of the users are on cable and dsl lines.
Ryan
----- Original Message -----
From: "vanguard" <vanguard_at_GENIUSNET.RO>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Tuesday, October 31, 2000 8:19 AM
Subject: compromised host
> hello
> see u conection to ircservers, if u have this tipe of conexion, i guess
> u host is compromised
>
> but this host is definitive compromised ..:((
> this is flood attack whit warbot
>
> [15:41:45] --> r121038l (~164a56_at_12.8.233.98) has joined ...
> [15:41:45] --> w152120h (~115t73_at_adsl-78-184-91.mco.bellsouth.net) has
> joined
> [15:41:45] --> e1357812e
> (~618v53_at_modemcable065.45-200-24.mtl.mc.videotron.ca) has joined
> [15:41:45] --> v324411h (~1334w63_at_12.2.238.55) has joined
> [15:41:45] --> x86128r
> (~174x37_at_modemcable065.45-200-24.mtl.mc.videotron.ca) has joined
> [15:41:45] --> t182786x (~2014z76_at_node134a5.a2000.nl) has joined
> [15:41:45] --> y145548i (~1851w70_at_12.2.238.55) has joined
> [15:41:45] --> g2074312t
> (~1626t84_at_adsl-63-205-159-146.dsl.lsan03.pacbell.net) has joined
> [15:41:45] --> r1188314u (~1426d91_at_209.21.14.65) has joined
> [15:41:45] --> x1976818i (~1392s73_at_194.204.247.2) has joined
> [15:41:45] --> d182667n
> (~1669m11_at_adsl-63-199-8-138.dsl.snfc21.pacbell.net) has joined
> [15:41:45] --> p1928212v (~1848o47_at_195.50.128.16) has joined
> [15:41:45] --> y680919v (~1177d55_at_node13dd3.a2000.nl) has joined
> [15:41:45] --> v65887w
> (~87i42_at_modemcable151.24-200-24.timi.mc.videotron.ca) has joined
> [15:41:45] --> t448718u (231e58_at_node1270f.a2000.nl) has joined
> [15:41:45] --> t57012o (1425w46_at_node134a5.a2000.nl) has joined
> [15:41:45] --> z15931b (392o31_at_node168f2.a2000.nl) has joined
> [15:41:45] --> c92942b
> (~241p26_at_modemcable151.24-200-24.timi.mc.videotron.ca) has joined
> [15:41:46] --> r765519r
> (932q75_at_adsl-63-205-159-146.dsl.lsan03.pacbell.net) has joined
> [15:41:46] --> u1225416s (1195g62_at_adsl-78-184-91.mco.bellsouth.net) has
> joined
> [15:41:46] --> l58971w (413x34_at_adsl-63-199-8-138.dsl.snfc21.pacbell.net)
> has joined
> [15:41:46] --> q1761710g
> (873r30_at_adsl-63-199-8-138.dsl.snfc21.pacbell.net) has joined
> [15:41:46] --> i455418b (362d76_at_calnet15-234.gtecablemodem.com) has
> joined
> [15:41:46] --> y911819x
> (131s44_at_adsl-63-205-159-146.dsl.lsan03.pacbell.net) has joined
> [15:41:46] --> f159914h (940l45_at_kt.karacs.sulinet.hu) has joined
> [15:41:46] --> x1250320w (1999i8_at_kt.karacs.sulinet.hu) has joined
> [15:41:46] --> w104473g (182s42_at_kt.karacs.sulinet.hu) has joined
> [15:46:57] <-- r121038l (~164a56_at_12.8.233.98) has left
> [15:46:57] <-- t182786x (~2014z76_at_node134a5.a2000.nl) has left
> [15:46:57] <-- w152120h (~115t73_at_adsl-78-184-91.mco.bellsouth.net) has
> left
> [15:47:00] <-- l58971w (413x34_at_adsl-63-199-8-138.dsl.snfc21.pacbell.net)
> has left
> [15:47:00] <-- x1250320w (1999i8_at_kt.karacs.sulinet.hu) has left
> [15:47:00] <-- t448718u (231e58_at_node1270f.a2000.nl) has left
> [15:47:00] <-- q1761710g
> (873r30_at_adsl-63-199-8-138.dsl.snfc21.pacbell.net) has left
> [15:47:00] <-- i455418b (362d76_at_calnet15-234.gtecablemodem.com) has left
>
> [15:47:00] <-- r765519r
> (932q75_at_adsl-63-205-159-146.dsl.lsan03.pacbell.net) has left
> [15:47:00] <-- y911819x
> (131s44_at_adsl-63-205-159-146.dsl.lsan03.pacbell.net) has left
> [15:47:00] <-- t57012o (1425w46_at_node134a5.a2000.nl) has left
> [15:47:00] <-- z15931b (392o31_at_node168f2.a2000.nl) has left
> [15:47:00] <-- u1225416s (1195g62_at_adsl-78-184-91.mco.bellsouth.net) has
> left
>
> [15:47:00] <-- p1446414q (1481n97_at_node134a5.a2000.nl) has left
>
> --
> "There are two major products that come out of Berkeley: LSD and UNIX. We
> don't believe this to be a coincidence." -- Jeremy Anderson
>
>
>
Received on Nov 02 2000
Intro
