HERE'S WHAT I KNOW, AND WHAT I'VE DONE

It sounds like a zombie DoS attack. If it was in fact a zombie DoS attack, the person responsible will not be caught, ever.

Basically a zombie DoS attack is a multi trojan horse attack from several boxes infected with a trojan horse sent commands to flood a specified server. This is why the person would not be caught. I read about this a long time ago, it's very popular with teenage hackers I believe.

Its rather easy to do, i myself have rooted a few boxes, but finding that many random ip's takes work.

Originally posted by David
Its rather easy to do, i myself have rooted a few boxes, but finding that many random ip's takes work.

It's just a matter of getting out your trojans to people which through P2P is probably pretty simple these days.

The zombie programs are designed to automatically log into an IRC chat room where you can initiate commands for your attacks. It takes no skill what-so-ever.

I know exactly what they are thanks.
The most common way of doing it is through IRC XDCC bots who log IP's and forward to the scanners who scan the ip's using X-Scan, if no password is found, the person can manually root it or get a rooter with a root kit (which i have ) to do it.

Originally posted by Total Enslavement
It sounds like a zombie DoS attack. If it was in fact a zombie DoS attack, the person responsible will not be caught, ever.

After an audit of the 120 IP's last night, I'm certain this is part of it. I've also discovered another aspect of the attack I'd rather not post in a public thread. If you're interested, send me U2U.

I've also found reference to "zombie spawners" that find unsuspecting n00b's in a busy channel and infect their computers. Since many of the DOS hits were on valid URL's (not just the IP), this fits the profile of such a method. Additionally, there have been specific instructions on how to inflict serious damage on servers running PHP/mySQL... it appears such instructions were are least partically followed.

But in any event, in retrospect, this was a rather ham-handed attempt to distrupt our little community. I suppose that's some form of compliment, for someone to be that passionate about distruption.

There are 3 IP's that surfed the site Monday morning as guests from normal ports (not higher IRC ports), hitting some of the exact URL's that were involved in the DOS. One is a dial-up, the other two are personal broadband connections. There may be clues to be found yet.

Originally posted by David
I know exactly what they are thanks.
The most common way of doing it is through IRC XDCC bots who log IP's and forward to the scanners who scan the ip's using X-Scan, if no password is found, the person can manually root it or get a rooter with a root kit (which i have

) to do it.

No, we aren't talking about the same thing. You are talking about obtaining root on what sounds like a linux box using a scanning cracking method. I'm talking about trojan horse zombie programs aimed towards windows boxes.

People looking to initiate DoS attacking using zombie technology aren't going to waste time trying to get into a linux box to do so when it would be a cake walk doing it through windows boxes.

Many home users now have high speed access to the internet and make perfect decoy attack boxes.

Understand what I am talking about now? Zombie Trojan Horse.

Since you seem to know more about these kinds of actions , how can we ATS users defend our comps, from becomeing used to against us?

Rooting = Gaining total control of a computer.
And Advisor, all you need to do is set hard log-on passwords and generally keep off irc.
I dislike the term trojan horse, its more of a small door that they use to upload files to your computer (normally games or albums) and keep it hidden from you, you'll know if your infected because you'll find it in C:\Windows\System\ directory and you'll notice large parts of your hard drive and computer resources are disappearing with you doing nothing.

A) Intro to IRC
IRC is a worldwide network of computers all setup for one purpose, communication. People can come to IRC to chat with friends or meet new people, discuss hot topics such as politics, religion, or breaking news. Over the recent years it has gained much fame, much due to popularity in the warez scene. Warez, simply defined, is the illegal downloading of copyrighted material. Groups which have access to pre-released games, are willing to sneak a camera into a theatre, or happened to beta test the newest Microsoft OS, are eagerly willing to digitize these formats, and make them readily available on the internet for the masses. How does IRC fit into this? IRC is one meeting place people (deemed leechers) can come to congregate and download these files.

B) Intro to File Sharing
Ahhh.. the wonders of connecting to a server, finding a file, and downloading it. Sure is easier than going to Best Buy and buying the game (and usually quicker). So, what is exactly file sharing? Simply� sharing files. Large amounts of people connect to servers, where they are all �connected� to each other, to download files off others hard drives. IRC has a file server feature, where people can connect, view files on your machine, and download whatever you give them access too. But there are also services such as Kazza, BearShare, Napster, LimeWire, and many more which when you search for a file, your looking through everyones computer at once. That is what it is all about. How is file sharing related to this article? Read on�


C) Intro to XDCC
Pay attention, this is where things pick up. XDCC revolutionized IRC. Many people now use IRC because of this new �XDCC� feature. What is it? Like a file server, yet automated. It will periodically list the files (usually 1-5 large files) in the channel (chat room) which it is hosting, for people to download. There is a program called Iroffer (1) which makes this even easier. It will (using the definitions in a configuration file you setup), connect to an IRC server, join a channel, and automatically list files. You can set bandwidth limits, max sends per persons, and more, which will all be covered later.

You'll find p2p programs like kazaa may automatically scan things for virii.

And something about XScan

X-Scan
X-Scan (2) is a great program, no doubt. Using an upgradeable exploit database, multi-threaded scanning, and great stability, the author(s) have really delivered. For windows, X-Scan can scan anything from POP3 vulnerabilities, cracking File Sharing passwords, null passwords, to web server faults. When dealing with IRC XDCC hacking although, many deem to turn to one choice in particular �NT-Server-Password�. What this does is scan a large user given range of IP�s and checks for file sharing. When it finds a windows machine with file sharing enabled (port 139), it will get a netbios table list of all usernames on that machine. This can be acquired manually also using the following commands in DOS:
C:\winnt\system32\> nbtstat �A 127.0.0.1
Where 127.0.0.1 is any given IP with file sharing or netbios. Back on track� Once it gets a list of all usernames for an IP, it will then check for weak passwords, or no passwords at all. Many people, when installing windows 2000, NT, or XP will forget the true essence of a password. This is highly critical that you set an Administrator password. For people that do not type in a password, this is where it will take advantage of you. It will send back to the attacker the following response:
[127.0.0.1]: Found NT-Server-Password: Administrator/[Blank password]
[127.0.0.1]: "NT-Server-Password" scan complete, Found 1.
Once they have this information, and you have file sharing enabled, consider yourself fully rooted. This �vulnerability� has been around for a long time, and is not Microsoft�s fault, but user error for not supplying a password. Chances are definite that with a strong password, the program would had not guessed it, and moved on to the next IP. But no, you are a victim, your computer is now property of someone you don�t even know.

"Fully Rooted"

And the timeline of a hacker.

12:00am � Hacker opens X-Scan, and enters his range. Just so happens to be 2,550 IP address in the range, which covers an entire dorm subnet at a well known fast backbone university.
12:30am � Scannign complete, hacker looks through the logs of X-Scan, looking for any Administrator accounts without a password, or User accounts without passwords.
12:31am � Dameware NT Utilities started up, hacker wants to connect to a an IP found vulnerable
12:32am � Hacker enters IP into dameware, double clicks on Processes. Dameware asks for a username and password, the hacker connects as user �Marcy, and leaves the password field blank. Connection successful!
12:32am � Upon looking through the processes, the hacker notices that no firewall he or she seems to recognize installed, and proceeds to setup the bat files for transfer for the remote machine.
12:35am � Since this machine is running windows 2000, the hacker makes sure the bat file points to c:\winnt\ instead of c:\windows, and goes to his or her start menu, selects run, then types \\IP\c$\winnt\system32 , where IP is the IP address found vulnerable.
12:36am � Eventually (file sharing is somewhat slow sometimes) the hacker sees the system32 folder of the victims pc, and it looks like he is in a normal folder browsing on his or her pc, convenient hacking isn�t it, eh Microsoft? Using drag and drop, the hacker selects the files (.bat file to automate things, the files for Iroffer, and servu ftp) and drags them to the window of the victims PC.
12:37am � Approx. 1 minute later (servu exec is around a meg, and cygwin dll is close to a meg) the files are on the remote computer in c:\winnt\system32, job well done. But, now that the hacker has the files where they are supposed to be, the .bat file has to be run
12:38am � A few seconds, and a command prompt later, the hacker simply types:
c:\winnt\> psexec \\IP c:\winnt\system32\inst.bat
Where again, IP represents the internet protocol address of the remote machine, and inst.bat is the bat file to run (can be named anything, as long as it end with .bat.) You may have noticed I didn�t type �u Marcy, to tell dameware to connect as that user, well in 2.B I stated that a pipe connection is made between you and that other machine once u connect the first time (dameware), so no need to type it again, unless u or the other machine has been restarted since.
12:39am � And back over on IRC, people see �XDCCBOT-567 has joined #warezchannel�, at the same time the ftp is up and running, and system is secured, if the hacker set it up so that way in the .bat file. The bot joins the channel (Section 2.G) because the .bat launched firedaemon which created a service for iroffer (and servu, but separate service name) on the computer, and then launched that service.
12:40am � Need to fill this computer with the newest movie to serve! Since the .bat file started servu ftp server also, the hacker will just connect to the IP on the port he specified in servudaemon.ini and using the login and password he entered in there also (password encrypted). Now, the person will fxp files from one server, to your victim machine.
1:10am � Movie complete! Time to rar it all up into one big file using rar.exe, then add a pack with Iroffer (9)
12:40 � Move on to next IP.

No its not that slow, i've seen people do one in 2 mins or under.

Great indormation, hopefully those who don't have passwords will come up with some really tough ones.

thanks for takeing the time to help us secure ourselves.

Np, chances are if you dont have an uber-fast modem then they wont care about you.
They're also scared of norton and firewalls.

Originally posted by ADVISOR
Since you seem to know more about these kinds of actions , how can we ATS users defend our comps, from becomeing used to against us?

You need a firewall so you can filter packets and monitor what processes are accessing the internet. With a firewall you will be able to rule which processes you wish to allow access and which processes you wish to block access. This wouldn't always work because programmers can write software that would allow the trojan to hook onto another program on your computer like Internet Explorer or Outlook and bypass the firewall. I've never gotten one but I know it's possible. If that did happen you could still monitor traffic to see what is going on.

You need a virus scanner and need to keep it updated. Will a virus scanner detect everything, no, it will only detect what is known in it's definition database. Having a virus scanner is a lot better than not having one.

The best means to protection is educating yourself on how your operating system runs and where to look if problems arise.

If you want to know more specifically what's going on in your box you can find some great freeware here.

Registry Monitor
Process Explorer
Port Monitor
etc...

www.sysinternals.com





[Edited on 12-6-2003 by Total Enslavement]

Some wanted to know the way the power strucure works so here goes.

A.) Organization
Believe it or not, these people are highly organized. For people I have met as young as 12, and as old as in their upper 50�s, they all act in the same mindset, keeping everything under control.

B.) Operaters
The leaders of the group, the big dogs. These people recruit the small people. They run the channel, set meetings, coordinate who does what, what bots get what warez, etc.

C) Scanners
The scum. These people usually don�t even have control over the channel; they are being used by the channel operators and hackers to get important information, which machines are vulnerable. These people don�t usually even know the dangers of scanning, or that they can easy be seen doing a mass scan of an entire subnet by most administrators. All they do, is scan constantly from their machines (or other hacked machines), and send the logs to the hackers.

D) Hackers
They don�t even deserve to be called it, but it�s legally what they are doing. These are the people that the scanners send the logs to. Once in their posession, they log into the machine, load the bot, start up the ftp server, secure it, and get out.

E) Fillers/couriers/curriers
This role may be undertaken by channel ops, or the hackers, or anyone else with access to a box with a fats connection, a dump site (usually hacked machine with good uptime, tosn of bandwidth, and tons of warez uploaded to it), or a topsite (legit sites hosted by some network admins to receive warez). They log into a ftp, then the hacked machine, and perform an FXP transfer, which is transferring from site to site. A common program to do this is FlashFXP, a legit program.

F) Leechers
The masses of people that join a channel (chat room) and download from the bots. They send a command to the bots, and the files are sent, or they are places in a send queue. The channels are more powerful if they have more leechers in their channel (easily thousands of people).

I was a B , and i still am sometimes, i'm the chief whip, i kept people in line

www.nzherald.co.nz...

short article about recent banking attack