just got back home...guess i didn't miss much
Printable View
just got back home...guess i didn't miss much
hi... i'm a newbie here. this problem posted by you is kinda interesting. i'm know too little about computer security, but i guess any of you would like to read this interesting article about an attack on a website using so called irc "zombies" that i accidently read. Part of it written like this
"Wicked's" response was to team up with two other hackers, all of whom tend and manage large fleets of "IRC Attack Bots". They launched a concerted and extended "packet attack" against grc.com. In the slang that I learned while monitoring their many conversations, they "packeted" us. They did this, not using any tool they had written, and not possessing the ability to create such a tool themselves, but using a powerful "IRC Bot" that had been passed around extensively. Neither Wicked nor his friends know who wrote it or even where it came from.
the url is at http://grc.com/dos/grcdos.htm
There are a few trojans/virusses out there that make their presence known through IRC.
If you are infected by them they (the malware) connects to an IRC server and just sits there. This will at least give the spreader(s) of the malware an IP address so they (the spreaders) will know who's infected. Some trojans will also accept and execute commands given through IRC.
Hook up a sniffer and look at the traffic. This will give you alot of clues as to what's actually happening.
Beware that the 6667 port *might* be a source port. In this case it *may* be normal traffic.
You should be able to tell what's what when you hook up the sniffer.
Thanks for your help everyone, a sniffer was my next idea but I'll do fport first. I'll be back in the office tonight, will let you all know what I find, thanks again.
Greg
Ok, here's what I've found so far....
Tcpview listed this
system.exe:2096 TCP my.ip.client.dsl.net:1039 218.22.2.153:6667 ESTABLISHED
System.exe was located in c:\winnt\system32
The only info I could find on this was here
http://www.sophos.com/virusinfo/anal...ushtro122.html
however the server.exe that it says is put in the winnt directory isn't there.
Anyway, I've stopped the process and removed the registry key that went with it, the connection did go away. So I'm guessing it wasn't the one sophos is talking about, might have just changed the name of an irc client or something not sure. Anyway, I'll prolly get a sniffer and start it up on a test server just to see what it's doing.
Thanks for your help
Greg
Just for fun I dumped the IP address into SamSpade. Here is what the outcome is:
08/05/03 22:09:37 IP block 218.22.2.153
Trying 218.22.2.153 at ARIN
Trying 218.22.2 at ARIN
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
NetRange: 218.0.0.0 - 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 2000-12-07
Updated: 2002-09-11
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: [email protected]
# ARIN WHOIS database, last updated 2003-08-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
So horse, you may be in danger of having this trojanQuote:
Backdoor.IRC.Flood.F is (**NOT THE SAME AS THE Backdoor.IRC.Cirebot THAT UND3RTAK3R WARNED US ABOUT**) a Backdoor Trojan Horse that will attempt to connect to an IRC server on port 6667. Once the Trojan is connected to the IRC server, it waits for commands from its creator.
http://securityresponse.symantec.com...c.flood.f.html
May want to check the URL out.
BD]Hobbit
if you query apnic directly:
whois -h whois.apnic.net 218.22.2.153 ...
% [whois.apnic.net node-2]
% How to use this server http://www.apnic.net/db/
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.22.0.0 - 218.23.255.255
netname: CHINANET-AH
descr: CHINANET Anhui province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-AH
changed: [email protected] 20010528
status: ALLOCATED PORTABLE
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-66027334
e-mail: [email protected]
e-mail: [email protected]
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: [email protected] 20021016
source: APNIC
person: Jinneng Wang
address: 17/F, Postal Building No.120 Changjiang
address: Middle Road, Hefei, Anhui, China
country: CN
phone: +86-551-2659073
fax-no: +86-551-2659287
e-mail: [email protected]
nic-hdl: JW89-AP
mnt-by: MAINT-NEW
changed: [email protected] 19990818
source: APNIC
yet another reason to drop all packets from Asia
this is probably just where the irc is located. if you set up a sniffer then start system.exe and see what it sends, what room etc...if your curious or better still count your self luck you caught it. put up a firewall and keep your defs current.
It is really generic for someone to make system.exe and through it into a system folder, and quite a few virii and trojans do it. As for port 6667, that most likely is IRC but without a sniffer you would be unable to tell if it was IRC or the trojan sending information over it; it could also be both.Quote:
System.exe was located in c:\winnt\system32
If you do want to find out more about exactly what this file was doing, you could replace it with a sniffer system or program installed either in between this machine and the internet (using snort) or also just a local packet sniffer on the same computer (analogX's packetmon would do fine).
BDHobbit, I think you're confused. I don't have a problem, I'm involved in trying to find one. ;)Quote:
So horse, you may be in danger of having this trojan
waytallgel is the person who has the issue.