[Snort-users] mirkforce IRC attack

Max Vision vision at ...4...
Fri Mar 9 10:57:50 EST 2001


Hi,

I guess this is old news (I still want the source though if someone has
it) but I found a page that shows what the attack looks like from the irc
user's perspective, which I thought was interesting:
http://www.mandrax.eu.org/takeover-wiaraa.html

I also found another distribution version that may have been made by torn,
that also includes (in binary-only form still) a syn/udp flood program,
and includes 601 hardcoded nicks.  Anyone who wants to write a script to
turn that into 601 snort rules can now detect that distribution of
mirkforce!  heh. http://members.xoom.com/mcfzfiles1/files/mirkforce.tgz

By the way, I don't know how many of you irc, I pop in once in a long
while myself, but it's a total wasteland.  It's also ripe grounds for
being infected by live trojans if you're running windows.

Max

On Fri, 9 Mar 2001, Max Vision wrote:
> If anyone has a copy of the source code for this please let me know or
> forward a copy.  All I have is an ELF binary called "mIRKfORCE-2"  and
> stripped version called "mIRKfORCE-glibc-hardcorde-rel-2" that was
> apparently compiled from "mIRKfORCE.c" which I don't have.  I obtained the
> binaries October 2000, but they seem to have been compiled March 2000
> (old!)
>
> I didn't look at them until now because I thought they were Just Another
> Bot.  Thanks for the heads up Andrew!
>
> Thanks!
> Max
>
> On Thu, 8 Mar 2001, Andrew Daviel wrote:
>
> > Just found an IRC attack tool "mirkforce" (see eg.
> > http://hackreport.magicnet.org/)
> >
> > The packet data is probably standard IRC "nick xxx", but the
> > attack seems to spoof unoccupied addresses in a class C subnet and use an
> > incrementing source port on the one machine.
> >
> > This is a b1tch to find unless you have ARP logs, since the
> > hacked machine does not use its own ip to connect to the target
> >
> > 21:53:36.416252 aaa.bbb.ccc.12.1250 > xxx.yyy.112.62.6667: S
> > 804647496:804647496(0) win 32120 <mss 1460,sackOK,timestamp
> > 12453625[|tcp]> (DF
> > )
> > 21:53:36.417145 aaa.bbb.ccc.13.1251 > xxx.yyy.112.62.6667: S
> > 806447041:806447041(0) win 32120 <mss 1460,sackOK,timestamp
> > 12453625[|tcp]> (DF
> > )
> > 21:53:36.417517 aaa.bbb.ccc.18.1252 > xxx.yyy.112.62.6667: S
> > 810980329:810980329(0) win 32120 <mss 1460,sackOK,timestamp
> > 12453625[|tcp]> (DF
> > )
> > 21:53:36.418059 aaa.bbb.ccc.19.1253 > xxx.yyy.112.62.6667: S
> > 796980633:796980633(0) win 32120 <mss 1460,sackOK,timestamp
> > 12453626[|tcp]> (DF
> > )
> > 21:53:36.418609 aaa.bbb.ccc.20.1254 > xxx.yyy.112.62.6667: S
> > 807981272:807981272(0) win 32120 <mss 1460,sackOK,timestamp
> > 12453626[|tcp]> (DF
> >
> >
> > --
> > Andrew Daviel, TRIUMF, Canada
> > Tel. +1 (604) 222-7376
> > security at ...524...
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>






More information about the Snort-users mailing list