the most likely thing is that he either downloaded, or was sent some kind of
remote control software like sub seven or bo, though most virus scanners
would detect it. is he using a custom script for mirc? it's possible the
script or mirc itself has an exploit in it. or, the author of mirc has added
another (this would be the 3rd or so) backdoor into his software (why do
people still use this?).
On Wednesday 27 February 2002 01:20 pm, -=JinXsta=- wrote:
> I lurk alot here and I know a fair amount about computer security
> although I still thought I would hit you with this question.
>
> I have a friend on mirc that is being "penetrated" in someway. This goes
> as follows...
>
> The person quits with a quit message of (I am lame, I bow down to the
> master...")
>
> This message is not generic as it has happened on two occasion with both
> different quit messages.
>
> The user is also unaware that this is happening, he just sees a
> disconnect message.
>
> After this has happened, his computer seems to function correctly, until
> when he reboots his "c: drive is inaccessible" , his only "layman"
> solution is to reinstall windows.
>
> He is on windows98 incidently, although it also happened with WindowsME
>
> The first time this occured, I told him not to install any third party
> services, such as icq etc. and just have his mirc - which again I told
> him to download 6.1 in case it was the mirc service that was being
> comprimised. I also told him not to use any canned nukes/programs as
> they are usually infected within themselves.
>
> However, he followed my advice and it happened to him again. My first
> thought is that is a trojan, especially after the TCP probes(shown
> below), his walls (zone alarm pro and neo watch) logged just before this
> happened. But, it must be a relatively advanced trojan as its getting
> past his wall and due to the random nature of the probes it seems that
> the person is not directly connecting to the trojan server and is
> unaware of what server they are actually connecting to. I suspect the
> person is a big script kiddy, but I cannoy confirm this.
>
> I have also suggested to him, to get filemon and regmon on his system so
> as he can see when anything is being changed that he is unaware of,
> which he is going to do now.
>
> I also checked the IP of the probes and they seem to be coming from a
> shell account, so I am also guessing that they may be running a sploit
> or scanner from a shell.
>
> he is also running NortonAntivirus2002 , msn
>
> So.. I ask you...
>
> What other possibilities are there of the comprimise?
> How could he detect the comprimise?
> How could he prevent the comprimise?
>
> What is this P+P bug within all versions of windows?
>
*snippity snip*
