approval from:
TerryMiller 
| reply to Link Logger
Re: El Cheapo Router Challenge I shut down the victim system after noticing that it went into scan/attack mode and having a little bit of time tonight I thought I would just take a quick look and see what bots I could find that had installed themselves on the unprotected system in the short time that I left it up.
C:\WINDOWS\System32\dfrgfat32.exe
dfrgfat32.exe - infected by Backdoor.Win32.SdBot.afu
C:\WINDOWS\System32\msftp.exe
msftp.exe - infected by Backdoor.Win32.SdBot.afu
C:\WINDOWS\System32\i - Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\System32\winPE.exe
winPE.exe - infected by Backdoor.Win32.Rbot.va
C:\WINDOWS\System32\USBhardware8.exe
USBhardware8.exe - infected by Backdoor.Win32.Rbot.gen
C:\WINDOWS\System32\service.exe
service.exe - infected by Backdoor.Win32.Rbot.ul
So you can see the system picked up at least 4 bots in about 2 hours. I didn't surf anywhere other then BBR once which is safe, don't have email, chat, P2P, whatever, so the only way these bots got onto the system was via network exploits, which the NAT Devices where previously protecting the system from.
Blake |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | I should also comment that I did block outbound IRC traffic from the system when I pushed it onto the internet otherwise it likely would have been much worse as the botmasters would have installed even more malware then there was.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | But did you see any outbound IRC traffic attempts in the logs from the system during that time interval?
--
Regards, Joseph V. Morris |
|
