The "text based protocol" at 63.246.134.50:9900 that you are talking about is IRC. This is an IRC server. Try connecting to it using an IRC client.
Your computer has been compromised and is part of a large botnet (/join #A to see what I mean) which is probably being used to attack other networks. Take it offline immediately and do a thorough check. There seem to be about 4000-5000 machines in this botnet and the Ops use commands like "login yoink -s" , "threads -n", "scan *.*.*.*" to control them. -- Cheers, S.G.Masood Hyderabad, India. -- --- Michael Linke <[EMAIL PROTECTED]> wrote: > At one of our Computers with Internet Access, I > found a strange program > running. > amdpatchB.exe(38 KB) > > This program is trying to get Internet Access while > starting. > amdpatchB.exe is connecting 63.246.134.50:9900. > There is a text based protocol running on > 63.246.134.50 at a service on port > 9900. > See Telnet output: > ________________________________________________________ > telnet 63.246.134.50 9900 > Trying 63.246.134.50... > Connected to 63.246.134.50. > Escape character is '^]'. > NOTICE AUTH :*** Looking up your hostname > NOTICE AUTH :*** Checking Ident > NOTICE AUTH :*** Found your hostname > help > :Drones2.newiso.org 451 * :Register first. > _________________________________________________________ > > I used Google to look for this filename but got no > result. > Any ideas what this is? > > Regards, > Michael > _____________________ > > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Richard > Johnson > Gesendet: Mittwoch, 17. September 2003 17:48 > An: [EMAIL PROTECTED] > Betreff: [Full-Disclosure] Re: openssh remote > exploit > > In article > <[EMAIL PROTECTED]>, > petard <[EMAIL PROTECTED]> wrote: > > > An exploit would certainly constitute such > evidence. Have you seen > > anything that indicates this bug is exploitable? > > > I'm beginning to suspect that compromises attributed > to this bug on > Linux hosts were coincidental. They could have > happened via exploits > of other problems. That's because no-one has any > forensics data or > logs that indicate this particular bug as an attack > route. > > However, the chance is not worth taking in practice, > so upgrade time it > is. > > > Richard > > -- > My mailbox. My property. My personal space. My > rules. Deal with it. > > http://www.river.com/users/share/cluetrain/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
