our linux box was hit (attempted).... running hybryid.... IRC server and
red hat 7.0.... last night (july 11)

At 11:06 AM 7/12/2001 -0500, you wrote:

>Anyone seen the recent IRC related attacks? We were the source
>and destination for more than one massive flood yesterday.
>
>
>The MO so far seems to be:
>
> + Flood of IP protocol 255 packets from random, poorly admined, Win2K
> boxen.
>
> + The attacks seem to be directed almost exclusively at IRC servers.
>
>
>So far, we've found that the hacked Win2K boxes have the following:
>
> BackOriface install as
>
> c:\winnt\java\w.exe
>
> Also, there was a new executable install as
>
> c:\winnt\system32\wlogin.exe
>
> And this was running as a service.
>
>
>Also, the hacked machines seem to be controlled via IRC. They're
>connecting to rogue IRC servers running on what appear to be hacked
>machines on DSL/Cablemodems.
>
>
>If I had to guess how they got this stuff installed, I'd say that it
>was done via IIS. None of the hacked machines that I've seen were patched
>and they were all running IIS.
>
>
>Paul
>--
>Paul Dokas dokascs.umn.edu
>======================================================================
>Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
>
>
>----------------------------------------------------------------------------
>
>
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see:
>
>http://aris.securityfocus.com

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]