[prev in list] [next in list] [prev in thread] [next in thread]
List: dshield
Subject: [Dshield] So,
From: "Brenden Walker" <BKWalker () drbsystems ! com>
Date: 2006-05-17 13:00:33
Message-ID: D0252C90757CBC4B8BC938A72BEDDF9DEBEC51 () dsimail ! drbsystems ! com
[Download RAW message or body]
Friend of mine got himself 'owned'... The IRC client was connecting to
a server on Sagonet.net, I'm passing along the IP address to them
although I see a lot of complaints related to Sagonet.
I'm guessing the FBI might be interested, just not sure the appropriate
channel to submit this to. I suspect the actual people aren't in the
U.S. though.
One interesting thing, the IRC server complains about no ident response
when I know I've got an ident daemon running and functioning properly
(tested with a few public servers that require identd). I'm guessing
these things use some other means/port.
This is the first one I've seen myself, it does a fine job of hiding the
process. I was able to get the PID via netstat, but of course windows
couldn't get any further process information, name, etc... If I had
time I'd look into it further, as it stands he needed to get back up so
I told him to reinstall windows...
_________________________________________
SANSFIRE 2006 - Meet ISC Handlers in Person -
Learn about the latest in Information Security from the best instructors in the world.
http://www.sans.org/sansfire006
Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every Wednesday after patch-tuesday.
_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic