On Wed, Sep 17, 2003 at 09:05:33PM +0200, Michael Linke wrote: > This program is trying to get Internet Access while starting. > amdpatchB.exe is connecting 63.246.134.50:9900. > There is a text based protocol running on 63.246.134.50 at a service on port > 9900. > See Telnet output: > ________________________________________________________ > NOTICE AUTH :*** Looking up your hostname > NOTICE AUTH :*** Checking Ident > NOTICE AUTH :*** Found your hostname
This is an IRC server. It looks like your machine is now part of some kind of bot network. Any indication of how the machine was compromised? ��� [local users on irc(3240)] 100% ��� [global users on irc(3236)] 100% ��� [invisible users on irc(4)] 0% ��� [ircops on irc(3)] 0% ��� [total users on irc(3240)] ��� [unknown connections(8)] ��� [total servers on irc(1)] (avg. 3240 users per server) ��� [total channels created(7)] (avg. 462 users per channel) Channel Users Topic #use 3 #yes2 1 #a 2217 #amernnq 32 #abcdefg 32 #proxy 2 #a has bunch of clients with random names: [ eifefs ] [ ssdbw ] [ luwbx ] [ niiopk ] [ iuuvcr ] [ wkmcyh ] [ hxsdxj ] [ dwyfe ] [ mmfok ] [ hiqhn ] [ guiq ] [ ijgym ] [ dyhvq ] [ wyuo ] [ lwyo ] [ deii ] [ mlosw ] [ lpmblg ] [ jfybwz ] [ czyna ] [ ptyqm ] [ gbxn ] [ eqpabg ] [ jqmk ] [ klnzuu ] And random idents: #a nefgg H [EMAIL PROTECTED] (nefgg) #a fywu H [EMAIL PROTECTED] (fywu) #a dmwt H [EMAIL PROTECTED] (dmwt) #a dggssb H [EMAIL PROTECTED] (dggssb) #a zaovrf H [EMAIL PROTECTED] #a jlhiqz H [EMAIL PROTECTED] (jlhiqz) #a fqpb H [EMAIL PROTECTED] (fqpb) #a myuckz H [EMAIL PROTECTED] Hope this helps. -Chris
pgp00000.pgp
Description: PGP signature
