From: Craig Holmes (leusent@link-net.org)
Date: Wed Sep 14 2005 - 19:12:47 EDT
I agree that this is probably an IRCBot worm/virus of some type, though not
necessarily an agobot strain.
On Monday 12 September 2005 19:54, Ian Gizak wrote:
> Does anyone knows a way to exploit this worm to get access to the system?
My advice would be to try and download the virial binary from the port that
you think is spitting it out. Set up a sand box and run the binary on that
machine.
At that point you pretty much have two options. You could analyze the binary
and look for weaknesses (buffer overflows) and back doors that could be used
to access the system through the worm. The second option would be to sniff
the irc traffic generated, find the controlling channel, steal the password
from the handler (whoever is controlling these bots) and use the password to
control the bot that is installed on the system you wish to penetrate.
I am not sure about the legality of option 1, but option 2 is almost certainly
illegal. In either case you should try and report this botnet so that it is
shut down.
Craig
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:54 EDT