[Snort-users] mirkforce IRC attack

Max Vision vision at ...4...
Fri Mar 9 06:29:50 EST 2001


If anyone has a copy of the source code for this please let me know or
forward a copy.  All I have is an ELF binary called "mIRKfORCE-2"  and
stripped version called "mIRKfORCE-glibc-hardcorde-rel-2" that was
apparently compiled from "mIRKfORCE.c" which I don't have.  I obtained the
binaries October 2000, but they seem to have been compiled March 2000
(old!)

I didn't look at them until now because I thought they were Just Another
Bot.  Thanks for the heads up Andrew!

Thanks!
Max

On Thu, 8 Mar 2001, Andrew Daviel wrote:

> Just found an IRC attack tool "mirkforce" (see eg.
> http://hackreport.magicnet.org/)
>
> The packet data is probably standard IRC "nick xxx", but the
> attack seems to spoof unoccupied addresses in a class C subnet and use an
> incrementing source port on the one machine.
>
> This is a bitch to find unless you have ARP logs, since the
> hacked machine does not use its own ip to connect to the target
>
> 21:53:36.416252 aaa.bbb.ccc.12.1250 > xxx.yyy.112.62.6667: S
> 804647496:804647496(0) win 32120 <mss 1460,sackOK,timestamp
> 12453625[|tcp]> (DF
> )
> 21:53:36.417145 aaa.bbb.ccc.13.1251 > xxx.yyy.112.62.6667: S
> 806447041:806447041(0) win 32120 <mss 1460,sackOK,timestamp
> 12453625[|tcp]> (DF
> )
> 21:53:36.417517 aaa.bbb.ccc.18.1252 > xxx.yyy.112.62.6667: S
> 810980329:810980329(0) win 32120 <mss 1460,sackOK,timestamp
> 12453625[|tcp]> (DF
> )
> 21:53:36.418059 aaa.bbb.ccc.19.1253 > xxx.yyy.112.62.6667: S
> 796980633:796980633(0) win 32120 <mss 1460,sackOK,timestamp
> 12453626[|tcp]> (DF
> )
> 21:53:36.418609 aaa.bbb.ccc.20.1254 > xxx.yyy.112.62.6667: S
> 807981272:807981272(0) win 32120 <mss 1460,sackOK,timestamp
> 12453626[|tcp]> (DF
>
>
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376
> security at ...524...
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list