PLEASE help! My system's have been compromized!!
Pontus Edvardsson
pontus.edvardsson@bredband.net
Mon, 16 Jul 2001 01:20:58 +0200
That sounds interesting! How would I detect such traffic? Do all IRC traffic
use dedicated ports or do they differ somehow?
Thanks, Pontus
----- Original Message -----
From: "Andrew Meredith" <andrew@anvil.org>
To: <netfilter@lists.samba.org>
Sent: Monday, July 16, 2001 1:08 AM
Subject: Re: PLEASE help! My system's have been compromized!!
> > Pontus Edvardsson wrote:
> >
> > I just installed Nessus on a Debian 2.2r3 box and it almost imediately
> > found two trojans on my w2k box... Distributed attack tools
>
> You might also like to bear in mind that a number of these DDoS tools
> float in through email attached executables and other such loopholes. If
> I am also given to understand that it is quite popular to control the
> implanted machine via IRC. As soon as the tool kicks off, it opens a
> connection to a hidden IRC channel and waits for instructions. Maybe you
> should scan for outgoing IRC connections. If you have no intention of
> using IRC yourself, you might even like to drop and log outgoing IRC
> connection setup packets.
>
> Cheers
>
> Andy M
>