AplusWebMaster
August 3rd, 2003, 10:36 PM
:( FYI...from Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html
"...Backdoor.IRC.Cirebot is a threat which exploits the Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to install a backdoor Trojan Horse on vulnerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component, and a Hacktool component which installs the backdoor on systems which are vulnerable to the exploit.
Signs of infection: the existence of the files c:\rpc.exe, c:\rpctest.exe, or c:\lolx.exe.
Signs that a network is being attacked: traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading of the backdoor): port 57005 open; an ftp connection on port 69..."
- See also this thread: http://www.wilderssecurity.com/showthread.php?t=11991;start=msg77483#msg77483.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html
"...Backdoor.IRC.Cirebot is a threat which exploits the Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to install a backdoor Trojan Horse on vulnerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component, and a Hacktool component which installs the backdoor on systems which are vulnerable to the exploit.
Signs of infection: the existence of the files c:\rpc.exe, c:\rpctest.exe, or c:\lolx.exe.
Signs that a network is being attacked: traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading of the backdoor): port 57005 open; an ftp connection on port 69..."
- See also this thread: http://www.wilderssecurity.com/showthread.php?t=11991;start=msg77483#msg77483.