From a forward to me on the DDos stuff...this might shed some light on the DDos problem, if not sorry for the bandwidth.
--------begin forward >[Note: I just noticed last night, after giving a talk on this incident, that >several threads on the SANS Unisog list going back as far as February 18, >2002 have discussed this same botnet in generality and in some detail, so I >can't claim to be the first to analyze this botnet. That credit goes to >Christopher E. Cramer of Duke University. (That's what I get for letting >myself get so far behind on email, and for not studying all sources of >information I had available to me when we first started seeing problems. >Hopefully someone on the unisog list will cross-post to >[EMAIL PROTECTED] when a widespread incident like this pops up >next time. ;) > >The Unisog threads can be found here: > > http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt > >Since all this work was already done, I'll still post what I have assembled >with the assistance of Mike Hornung and Alexander Howard at the UW, in hopes >I'm adding something new in the way of tools and techniques (see my >CanSecWest talk slides referenced at bottom) that will help speed up >response the next time one of these massive botnets is assembled using >compromised computers.] > > >Summary >======= > >Over the months of March through late April of 2002, the University of >Washington has seen multiple incidents of distributed "warez" (pirated >software) and denial of service (DDoS) attacks, coming from Windows 2000 and >NT systems. These systems all have several things in >common: > > o They appeared to be found with no password on the > Administrator account, and control taken over. > > o They had various IRC bots installed on them, including > knight.exe, GTbot, and X-DCC (a distributed "warez" > serving bot.) > > o They had the ServUFTP daemon running on them for incoming > file transfer (to load the "warez".) > > o They had Firedaemon (a program that registers programs for > execution to serve incoming connections, similar to the Unix > "inetd" daemon.) > >Details >======= > >Forensic analysis of hard drive contents and IRC traffic has revealed the >methods and signatures of the malware installed on the compromised systems. >To date we are not 100% sure of exactly how the initial backdoor >installation occurs, but it appears to involve remote shell access (via >telnetd). Whatever it is, the next step is to transfer a script onto the >system and run it to bootstrap the rest of the installation of backdoors, >bots, FTP server, and other support programs, the modification of >directory/file permissions and attributes to hide files, and changes to >registry settings to make programs run at each boot. On some system, FTP is >also used to later transfer files onto the compromised system. > >The script does the following: > >o Creates a directory under the C:\RECYCLER directory, and marks > it hidden and system directory. > >o Kills any previously running instances of itself. > >o Installs Firedeamon, and changes it (and other support programs) > to be system/hidden. > >o Uses tftp to download IRC bot configuration files from a temporary > cache (on another compromised system) > >o Does a "net user administrator changem" and deletes the > ipc$ file share. > >o Starts the Firedaemon and registers services named "Ms32dll", > "SVHOST" and "MSVC5" > >o Creates a file to set the following Registry settings, then > runs "regedit" on this file: > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] > restrictanonymous"="1" > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] > "NTLM"="2" > >o Cleans up some files, and stops and deletes the following > services: "tlntsvr" and "PSEXESVC" > >o (Re)Starts the following services: "lmhosts" and "NtLmSsp" > > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >user_nick [XDCC]XXXX-649 >slotsmax 20 >loginname XXXXX >filedir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 >uploaddir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 >xdccfile c:\winnt\system32\vmn32\asp\mybot.xdcc >pidfile c:\winnt\system32\vmn32\asp\mybot.pid >server irc.XXXXXX.net 6667 >server irc.XXXXXX.net 7000 >server XXXX.XXXXX.net 6667 >server XXXX.XXXXX.net 7000 >server XXX.XXX.XX.XXX 6667 >logrotate weekly >messagefile c:\winnt\system32\vmn32\asp\mybot.msg >ignorefile c:\winnt\system32\vmn32\asp\mybot.ignl >channel #XDCC -plist 15 >user_realname XDCC >user_modes +i >virthost no >vhost_ip virtip.domain.com >firewall no >dccrangestart 4000 >queuesize 20 >slotsmaxpack 0 >slotsmaxslots 5 >slotsmaxqueue 10 >maxtransfersperperson 1 >maxqueueditemsperperson 1 >restrictlist yes >restrictsend yes >overallminspeed 5.0 >transfermaxspeed 0 >overallmaxspeed 2000 >overallmaxspeeddayspeed 0 >overallmaxspeeddaytime 9 17 >overallmaxspeeddaydays MTWRF >debug no >autosend no >autoword bleh >automsg bleh >autopack 1 >xdccautosavetime 15 >creditline ^2Brought to you by #XDCC^2 >adminpass Xv8h8aXknm8J5z >adminhost *!*@*.XXXXXX.net >adminhost *!*@*.cia.gov >uploadallowed no >uploadmaxsize 900 >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >A search of Google for the terms "+X-DCC +XDCC +bot" comes up with several >hits, including the following list of the top IRC networks. The X-DCC/XDCC >related channels (including channels found on many of the compromised >systems at the UW) were the majority of the top channels on this site: > > http://62.27.120.133/networks/chanlist.shtml > >The signature of these particular bots can be identified by the string >":Total Offered:" (the amount of disc space used for "warez" on the system, >to be served by the bot): > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >T 2002/04/18 08:30:18.768002 10.1.1.1:6667 -> 192.168.2.2:3852 [AP] > :[f0]-XDCC230!~[EMAIL PROTECTED] PRIVMSG #XXXXXXXXXX > :.**. .Brought to you by #XXXXXXXXXXXXX. .**...:[f0]-XDCC230!~accute@ > foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXX :.**. .Brought to you by #X > XXXXXXXXXXXX. .**... > >T 2002/04/18 08:30:20.452092 217.199.39.139:7000 -> 128.208.113.130:1031 >[AP] > :[f0]-XDCC230!~[EMAIL PROTECTED] PRIVMSG #XXXXXXXXXX > :Total Offered: 1223.5 MB Total Transferred: 419.19 MB..:[f0]-XDCC230 > !~[EMAIL PROTECTED] PRIVMSG #XXXXXXXXX :Total Offered: 1 > 223.5 MB Total Transferred: 419.19 MB..:[f0]-XDCC230!~accute@foo-000 > 0000.bar.asu.edu PRIVMSG #XXXXXXXXX :Total Offered: 1223.5 MB Tota > l Transferred: 419.19 MB.. >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Using this information, a capture of all IRC traffic across the border of >the network was performed and a script written ("findoffer") to parse and >summarize the totals. Sampling IRC traffic to/from a set of 9 compromised >systems (tcpdump filter "tcp port 6667 and tcp port 7000"), and using >"findoffer", as many as 419 bots in 22 IRC channels, serving a total of >556.18 GB (yes, over half a Terabyte!!! and that is just from bots in some >of the X-DCC channels, not all of them.) > >[Note that IRC can be run over any port besides just 6667/tcp and 7000/tcp, >so I expect that these bots will likely move off of public servers to rogue >servers on compromised systems, and to use ports other than the standard >6666/tcp - 7000/tcp.] > >In addition to file sharing, many (all?) of these systems were at least >capable, if not actually used for, distributed denial of service (DDoS) >attacks. Dozens of attacks have been attributed to the same group who >installed these warez bots. Here is one such use: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >T 2002/03/27 02:28:31.434846 192.168.0.220:6667 -> 10.0.0.1:3164 [AP] > :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t > o channel..:badd_kittycatN0yb!~[EMAIL PROTECTED] PRIVM > SG #doschan :[login accepted].. > >T 2002/03/27 02:28:31.986647 192.168.0.220:6667 -> 10.0.0.1:3164 [AP] > :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t > o channel..:badd_kittycatN0yb!~[EMAIL PROTECTED] PRIVM > SG #doschan :[packeting 192.168.32.94 at 64000kb/s 10000000 times].. > :vodkidWT!~[EMAIL PROTECTED] PRIVMSG #doschan :[packet > ing 192.168.32.94 at 64000kb/s 10000000 times].. > > . . . > >T 2002/03/27 05:25:31.491814 192.168.0.220:6667 -> 10.0.0.1:3164 [AP] > :[EMAIL PROTECTED] PRIVMSG #doschan :.run c:\w > innt\system32\temp.exe..:XXXXXXXXXXZ2vco!~[EMAIL PROTECTED] > .Edu PRIVMSG #doschan :[running c:\winnt\system32\temp.exe].. > >T 2002/03/27 05:25:31.493483 10.0.0.1:3164 -> 192.168.0.220:6667 [AP] > PRIVMSG #doschan :[running c:\winnt\system32\temp.exe].. >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Two DDoS bots have been seen in use in conjunction with this activity: >"knight.exe" and "GTbot". ("knight.exe" is the Unix "knight.c" program, >compiled with the Cygwin development libraries.) These programs are >described here: > > http://www.cert.org/archive/pdf/DoS_trends.pdf > http://bots.lockdowncorp.com/gtbot.html > >The UDP traffic (seen by "tcpdump") during a GTbot attack shows some unusual >packets: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >1017207252.687968 192.168.32.126.1646 > 10.203.32.94.37046: rad-#43 837 [id >32 ] Attr[ Acct_out_octets{length 30 != 4} ARAP_zone_acces{length 46 != 4} >NAS_id{ +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH} Acct_out_packets{length >41 != 4} ARAP _challenge_resp{302B202B202B4154}|radius} >ARAP_challenge_resp{302B202B202B4154}| >radius} ARAP_challenge_resp{302B202B202B4154}|radius} >ARAP_challenge_resp{302B20 2B202B4154}|radius} >ARAP_challenge_resp{302B202B202B4154}|radius} ARAP_challenge >_resp{302B202B202B4154}|radius} >ARAP_challenge_resp{302B202B202B4154}|radius} AR >AP_challenge_resp{302B202B202B4154}|radius} >ARAP_challenge_resp{302B202B202B4154 >}|radius} [|radius] >. . . >1017207256.282173 192.168.32.126.1645 > 10.203.32.94.24413: rad-#64 440 [id >64 ] Attr[ Tunnel_type{length 62 != 4} Tunnel_type{length 62 != 4} >Tunnel_type{len gth 62 != 4} Tunnel_type{length 62 != 4} Tunnel_type{length >62 != 4} Tunnel_type {length 62 != 4} [|radius] >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Seen by "ngrep", there is a strange kind of UDP flood: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >U 2002/03/26 21:34:16.284428 192.168.32.126:2892 -> 10.203.32.94:19192 > + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT > H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + > ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + > +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ > + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH > 0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A > TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + > +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ > + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0 > + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT > H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + > ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0 > >U 2002/03/26 21:34:16.284790 192.168.32.126:3099 -> 10.203.32.94:61749 > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @@@@@@@@@@@@@@@@@@@@ > >U 2002/03/26 21:34:16.285599 192.168.32.126:2767 -> 10.203.32.94:44393 > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@) > >U 2002/03/26 21:34:16.286329 192.168.32.126:4403 -> 10.203.32.94:56289 > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! > ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% > !@#%!^@) > >U 2002/03/26 21:34:16.287070 192.168.32.126:4008 -> 10.203.32.94:39934 > + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT > H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + > ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + > +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ > + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH > 0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A > TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + > +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ > + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0 > + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT > H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + > ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0 >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Apparent IRC traffic confirms there is a DDoS bot on this system: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >T 2002/03/26 21:36:43.468911 192.168.32.126:1135 -> 10.76.175.220:7666 [AP] > PRIVMSG #doschan :.S.ending [.64,000.kb] of Data to (10.203.32.94). >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Seen by "tcpdump", one of the attack methods of this tool uses IP protocol >255 (listed as "Reserved" by IANA). These attacks use both large packets >(requiring fragmentation) and small packets. [Note: Network monitoring >tools that only log TCP, UDP, and ICMP protocols will not see this attack >traffic at all.] > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >Fri Mar 22 20:54:59 2002 >1016859299.879744 192.168.0.1 > 10.209.12.152: ip-proto-255 1480 (frag >37686:1480@0+) 1016859299.879745 192.168.0.1 > 10.209.12.152: (frag >37686:20@1480) 1016859299.881140 192.168.0.1 > 10.209.12.152: ip-proto-255 >1480 (frag 37687:1480@0+) 1016859299.881141 192.168.0.1 > 10.209.12.152: >(frag 37687:20@1480) 1016859299.882465 192.168.0.1 > 10.209.12.152: >ip-proto-255 1480 (frag 37688:1480@0+) 1016859299.882465 192.168.0.1 > >10.209.12.152: (frag 37688:20@1480) 1016859299.883866 192.168.0.1 > >10.209.12.152: ip-proto-255 1480 (frag 37689:1480@0+) > > >Sat Mar 23 13:13:25 2002 >1016918005.627814 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >1016918005.627905 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >1016918005.627986 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >1016918005.628120 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >1016918005.628180 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >1016918005.628282 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >1016918005.628342 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >1016918005.628448 192.168.0.1 > 10.99.102.100: ip-proto-255 52 >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Seen with Foundstone's "FPort" program, the program showed the following >open port: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >FPort v1.33 - TCP/IP Process to Port Mapper >Copyright 2000 by Foundstone, Inc. >http://www.foundstone.com > >Pid Process Port Proto Path >2 System -> 80 TCP >187 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe >2 System -> 113 TCP >191 temp -> 113 TCP C:\WINNT\System32\temp.exe >94 RpcSs -> 135 TCP C:\WINNT\system32\RpcSs.exe >2 System -> 135 TCP >2 System -> 139 TCP >2 System -> 443 TCP >187 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe >191 temp -> 1035 TCP C:\WINNT\System32\temp.exe >187 inetinfo -> 1036 TCP C:\WINNT\System32\inetsrv\inetinfo.exe >187 inetinfo -> 1037 TCP C:\WINNT\System32\inetsrv\inetinfo.exe >187 inetinfo -> 2962 TCP C:\WINNT\System32\inetsrv\inetinfo.exe >191 temp -> 9000 TCP C:\WINNT\System32\temp.exe >2 System -> 135 UDP >2 System -> 137 UDP >2 System -> 138 UDP > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > >More information on this botnet, and references to the tools used to analyze >it, were presented at CanSecWest Core02 in Vancouver, BC on May 2. The >slides and references to the tools that were used can be found at the >following location: > > http://staff.washington.edu/dittrich/talks/core02/ > >An example report produced by "findoffer" can be found at: > > http://staff.washington.edu/dittrich/misc/ddos/xdcc-report.txt > >This report has been anonymized, since some of the host are voluntarily >serving files (these networks are NOT exclusively compromised hosts running >bots.) Use this script ONLY to identify hosts on your network, and make sure >you follow all applicable privacy laws and policies of your organization >regarding logging of IRC traffic. > >-- >Dave Dittrich Computing & Communications >[EMAIL PROTECTED] University Computing Services >http://staff.washington.edu/dittrich University of Washington
