'Re: Backdoor.coreflood infection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Backdoor.coreflood infection
From:       Jack McCarthy <lists () jackmccarthy ! com>
Date:       2003-09-05 17:53:25
[Download RAW message or body]

Well, now that makes sense.  My site is hosted by Interland and I saw strange
traffic going to beech-info2.com when loading my page.  I had about 10 other
things on my plate at that time, so I didn't spend much time on it.  We ended
up having 2 infected machines, my box and our Citrix box, which I also use.
Symantec corp edition found it (after the Sept 3 update) as backdoor.coreflood
and deleted it.  Any official postings/memos/news articles regarding this
exploit on Interland's servers?


-Jack




--- Joe Stewart <jstewart@lurhq.com> wrote:
> On Thursday 04 September 2003 02:05 pm, Reid Forrest wrote:
> > We've had three machines across multiple sites come up
> > with the backdoor.coreflood trojan today. NAV caught
> > them all, but I'm wondering how it got in. We block
> > .exe attachments.
> >
> > It's my understanding that this thing doesn't
> > propagate itself. One instance I can understand, but
> > three seemingly unrelated infections are puzzling.
> >
> > Is anyone else seeing this, or have any ideas?
> 
> It sounds like your users visited a site hosted at Interland last week
> and were hit by the IE exploit a hacker appended to the pages in an
> IFRAME. The description as backdoor.coreflood is misleading; the
> trojan you found was probably a proxy server, not an IRC bot. The
> proxy server shares a lot of base code with the coreflood IRC bot
> and uses the same style of DLL injection, but the functionality is 
> completely different.
> 
> -Joe
> 
> -- 
> Joe Stewart, GCIH 
> Senior Security Researcher
> LURHQ Corporation
> http://www.lurhq.com/
> 
> 
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
> technical IT security event.  Modeled after the famous Black Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
> Symantec is the Diamond sponsor.  Early-bird registration ends September
> 6.Visit us: www.blackhat.com
> ----------------------------------------------------------------------------
> 
> 
> 
> 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic