[NTLUG:Discuss] Intrusion and Detection
Chris Cox
cjcox at acm.org
Tue Dec 25 22:38:01 CST 2001
Kenneth Loafman wrote:
...
> Its been fun, not as much fun as taking apart viruses, but fun indeed.
> Glad the machine was not a primary. Gives me time to dissect and
> examine. Still trying to figure out what the goal of the attack was. I
> think I'll have to take things apart piece by piece until I find out.
> Its not obvious.
Many times, the goal is too simply create a "drone" platform for
DDoS (Distributed Denial of Service) attacks. Many denial of service
attacks require many machines to attack a particular system in order
to generate the desired affect. Especially look for the IRC ports, like
6666 and 6667... if they're now open... check your firewall logs for
the IPs being used to contact your machine on those ports... my guess
is that you'll find several more boxes out there that are part of
the "drone" community (use whois tools to find out the admins of the
platforms, contact them so they can clean themselves up).
This is just an example of a common set of root kits I've seen. Could
be others operating on different ports... and not necessarily for
the purpose of DDoS.
More information about the Discuss
mailing list