[PLUG] More trojan info
Charlie Schluting
charlie at schluting.com
Tue Jun 24 09:53:01 UTC 2003
Stafford A. Rau wrote:
> * Stafford A. Rau <srau at rauhaus.org> [030622 08:14]:
>
>>Doing a "strings" on that executable shows conclusively that this is a
>>DDOS tool. Here are some of the relevant lines, and I hope this is
>>interesting for you all and not too off topic.
>
>
> I missed this identifier when I first looked at the strings info:
>
> sdbot 0.5b + SYN flood + loaded(1.0) by [sd]
> about
> sdbot 0.5b + SYN flood + loaded(1.0) ready. Up %dd %dh %dm.
>
> It seems that sdbot is fairly well known. Here's what Symantec has to
> say about it:
>
> Backdoor.Sdbot is a server component (bot) that the Trojan's creator
> distributes over the IRC channels. This Trojan Horse allows its creator
> to perform a wide variety of actions on a compromised computer.
>
> Thanks,
> --Stafford
>
Ya, port 6667 is IRC. So.. why are you using windows 98? And not even
behind a firewall? And talking about how your winders box got hacked on
a linux users group list? If you need to use windows.. at least install
a version that isn't wide open for anyone to 0wn you (like 2k or XP ...
but you still have to configure properly).
More information about the PLUG
mailing list