Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: RE: I think I've been hacked...please help!

RE: I think I've been hacked...please help!

From: Pepijn Vissers <vissers_at_fox-it.com>
Date: Tue, 9 Apr 2002 13:39:31 +0200

Hi Jamie,

./I have several machines that are using excessive bandwidth. Upon
./inspection, I find multiple connections to servers with names like
./irc.badguuy.com, etc... On 6667.

Well, my first guess is that your machines are
used for a dDoS, controlled through (modified) eggdrops and
the irc-servers. Did you run a tcpdump to see which channel(s) they
join and with what key? You could use an 'anonimized' machine which
does not lead back to your official network and join the chan, pose
as an eggdrop and do some research. Just wait until you get queried
with commands :)

./Incoming connections are random although 1067 seems to be a common one.
./I have 4 instances of cmd.exe running and 2
./of win.exe While it looks like Egghead, the reg entries
./aren't there nor the directories/files.

Maybe they pose as other programs. You could try to use some tools
from sysinternals (www.sysinternals.com) or so to examine which program
is using the socket that is connected to the irc-server.

./What is confusing to me is that one of them uses our Exchange server which
is protected by
./Antigen (and I pull nearly every extension known to man) and
./McAffee on the desktop. I can't find anything that matches this. Anyone
./have any insight?

Not sure. Maybe they don't see eggdrops as a threat / trojan.
They were in the first place surely never written to be any of those.
Maybe the characteristics of the used programs do not match the definitions
because they are slightly modified. There are serveral ways to circumvent
virusscanners.

Good luck,
P. Vissers

./Thanks
./
./J
./
./--------------------------------------------------------------
./--------------
./This list is provided by the SecurityFocus ARIS analyzer service.
./For more information on this free incident handling, management
./and tracking system please see: http://aris.securityfocus.com
./

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Apr 09 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos