[8109] in bugtraq
Re: Internet Wide DOS Attack using IRC
daemon@ATHENA.MIT.EDU (Samuel Cossette)
Fri Oct 2 22:54:15 1998
Date: Fri, 2 Oct 1998 20:55:01 -0400
Reply-To: Samuel Cossette <cluster@VIDEOTRON.CA>
From: Samuel Cossette <cluster@VIDEOTRON.CA>
To: BUGTRAQ@NETSPACE.ORG
I have done my own investigation about it;
First it's not Back Orifice, it's another fuck*** trojan, spread by a DCC
bot on EFnet (#warez950-dcc). When it's installed this is request 3 files on
Geocities! (configuration) After, the trojan start an irc session on EFNet.
The first channel was #^C^CHaVoC^B^B with a key, when they discover the
presence of intruder they have changed the channel (#^_^_HaVoC^B^B) And
since 1-2 weeks the channel is empty and when i start my laptop (infected) I
see, on the monitoring screen of my server, some connection on Geocities
this is retrieve a file and this is return a 404 url not found.
When a clone (Havoc call an infected computer a "Drone") is connected on irc
anybody can control this with Private msg command (.join #chan, .part, .do
[raw command]). 2-3 week ago the infected chan get about 500-700 drones
(stable). My personnal estimation of infected computer it's 15000+.
With 500 "clones" they can easily split an irc server with the command
MOTD :irc.server.net (.do raw command).
To see if you are infected do CTRL-ALT-DEL in windows and if you have a
process called OCE it's the Havoc's trojan :] remove it in your system
directory usualy c:\windows\system
Samuel Cossette
-----Original Message-----
From: dbarba <dbarba@GEOCITIES.COM>
To: BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG>
Date: 2 octobre, 1998 18:09
Subject: Internet Wide DOS Attack using IRC
> Please forward this on to the appropriate people if necessary.
>
> GeoCities is currently experiencing a DOS attack that appears to be
> spread by a trojan horse in a mIRC script.
>
> GeoCities is receiving thousands of HTTP requests from thousands of
> unique computers daily for a file that no longer exists on our
>servers.
> The specific count for one minute on Friday, September 25 at 10:17 am
>
> was 3,522 hits,
>
> 1,492 of them were from unique IP's. For the time period of 3 am to
>10:17am
> on 9/25 we had 3,562 unique IPs request this one file. It does not
>appear to be
> specifically requested by the user of that computer. This request
>uses
> no browser and is usually requesting the file every 30 seconds while
>the
> user is connected to the Internet. The requests are coming from
>around
> the world and have been slowly building up since at least August 18,
> 1998 (the farthest back our access logs go).
>
> The attack is requesting a file from our site:
>
> http://www.geocities.com/Area51/Stargate/5845/nfo.zip
>
> The complete content of the 5845 directory was: nfo.zip, nfo.jpg,
> servers.zip, servers.jpg, users.zip and users.jpg. When I looked at
>the
> binary files by doing a cat, the users jpg & zip files were the
>same, but the
> other files were all unique.
>
> It does not use a browser or store cookies. At the moment, the file
>being
> requested is of zero size. When there is a file of size , originally
>it was 8k
> and I later inserted a short note to contact me regarding the attack
>into the
> nfo.zip file, at which time the attack becomes much worse on the
>Windows
> machines that are requesting the file.
>
> Also, an odd note, there are a couple machines that are requesting
>the file named
> nfo.jpg. Those are reqeusted every minute instead of every 30
>seconds.
>
> I have contacted a user that complained about GeoCities attacking
>him.
> In reality, his computer was asking for the nfo.zip file from us
>every
> 30 seconds, and that was flooding his connection to the internet. I
> have worked with him closely since he found the problem. He only
>uses
> IRC. In fact, the first time he visited our website is after the
>attack
> started, when he was looking for a contact name and number. He does
>not
> surf the internet. He has subsequently reinstalled his OS and that
>has
> completely stopped the attack.
>
> We did find an entry in his registry with the following setting:
>
> /microsoft/windowsexplorer/doc/find/spec/mru
> a) " "
> b) 5845
> c) nfo
> d) bo
> e) nfo.zip
> f) winrar
> g) msvbvm60.dll
> h) loadwc
> i) stargate
> j) area51
> mrulist) eadcbjihgf
>
> When the user deleted the registry entry, the attack from his
>machine
> went from 1 GET every 30 seconds to 1 GET every second. After about
>10
> minutes, it started slowing up and finally settled into about 1 GET
> every 17-20 seconds.
>
> I also asked our ISP to help track some of this and this was their
>result. "All the IP's
> I've scanned so far from the log have several UDP ports open in the
>31337 range
> (what Back Orifice uses)."
>
> So, we really need to find the source instead of asking everyone to
> reinstall their OS. It might also be necessary to inform the various
>
> virus-detection software vendors to try to eradicate this from all of
>
> the machines that currently have it installed.
>
> Thank you for your help,
>
> Debbie Barba
> SysAdmin
> dbarba@geocities.com
