Steve, these are not IRC bots. I have worked with such. These are coming from direct IPs, am sure these are dongles. IRC bots jump from one Zombie to another depending on the networks that the herder has compromised. ./Chuks On Thu, May 7, 2009 at 12:53 AM, Steve Muchai <smuchai@gmail.com> wrote:
On Wed, May 6, 2009 at 11:13 PM, chuks Jonia <chuksjonia@gmail.com> wrote:
If havent checked your logs, please do. Alot of guys are bruteforcing using dongles and gaining access to systems. Check http://lists.my.co.ke/pipermail/security/2009-May/000104.html
./Chuks
Seen this before, was a rootkit running on a poorly secured *nix box that was poorly secured.
Usually IRC bots, but could be different. At least was IRC then. The rootkit does the brute force attack and reports back to an IRC channel once it hits another box, then that can be used to relay spam, porn, warez...the works....and oh yes, another brute force attack.
BR, S _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ http://www.kamongo.co.ke/