Today i started up my computer, and saw a dos window flash something about eggdrop. I use tcp viewer and find a process (server.exe) connecting to a irc network. I take a look at the program and find this bot running.
Can anyone help me understand eggdrop so i know who's bot it is, where its connecting to, ect?
Jolly
This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
Someone installed this bot on my computer - HELP!
What flavour of windows are you running.
You only have the ability to hide the dos box by running it as a service on 2K and XP machines.
I would advise you review your service list to see if you can locate the offending service.
When and if you find this, it would be wise to paste the command line it is trying to start. With this, we can help give you further instructions.
You only have the ability to hide the dos box by running it as a service on 2K and XP machines.
I would advise you review your service list to see if you can locate the offending service.
When and if you find this, it would be wise to paste the command line it is trying to start. With this, we can help give you further instructions.
-
JJolly
Correct, I'm on windows, it appears to be using cygwin to run it under windows. From what i saw, the dos box i saw originally was used to install it into my c:\windows\system32\spool\ - something directory, i dont remember the rest, as im not at home right now.
It starts up via registry key - hklm\software\microsoft\windows\currentversion\run
the program name is system.exe
I have all the configuration files from eggdrop, from my understanding it want's to connect to irc.blackbox.uk, though that IRC server seems to be dead, and it connects to an alternate server.
It starts up via registry key - hklm\software\microsoft\windows\currentversion\run
the program name is system.exe
I have all the configuration files from eggdrop, from my understanding it want's to connect to irc.blackbox.uk, though that IRC server seems to be dead, and it connects to an alternate server.
Windrops only need the eggdrop executable, cygwin dll and a config file to run (though channel and user files will then be created).
Simply deleting these 5 files and the starting entry in the registry should be enough.
You may wish to do a virus scan on your system. I have just seen a hacked windows binary for a popular FTP server (open source, windows compiled) that downloaded an installed a XDCC bot.
You may be suffering from simalar simptons.
Simply deleting these 5 files and the starting entry in the registry should be enough.
You may wish to do a virus scan on your system. I have just seen a hacked windows binary for a popular FTP server (open source, windows compiled) that downloaded an installed a XDCC bot.
You may be suffering from simalar simptons.
-
JJolly
Sure, I know how to stop it from running again, thats not too hard. What I want to know is how to read the config files that eggdrop uses, so I can find out the sever it wants to connect to, channel, password it uses, ect. - I must not be the only person out there who had this happen, and I'd love to try and track them down.
-
JJolly
-
gumbydammit
- Master
- Posts: 311
- Joined: Thu Sep 05, 2002 4:52 pm
- Location: Canada
- Contact:
-
SSn1p3
What I whould do if you have a proxy or vhost, is close the file. Get Ethreal do a google search. Start packet sniffing on ethreal. Then load the file. Give about 15 seconds stop ethreal packet sniffing close the file. Look through ethreal for irc. You will see the channel it joins and everything. If their are config files in or around the folder it whould be easier that way.
-
TTwoSheds88
i saw something on grc.com about some script kiddie that DOSed him with little programs that connect to an irc server.
he infected hundreds of internet users with them, and they all connected to this one channel.
the grc.com guy, steve gibson, managed to get into this channel by decompiling the programs and he saw that the scipt kiddie was typing a command, such as !identify and they were alll responding with things. he could then type other commands to make them attack servers.
he did just this and attacked the grc.com server cos gibson had refered to script kiddies as script kiddies in one of his articles.
mabye you have something a long these lines? this guy had written a program that connects to irc, but eggdrop would be powerful enough to do everything that it could do with an addon module of some kind and since egdrop has all the irc connection stuff already it would make life easier
full article > http://grc.com/dos/drdos.htm
TwoSheds
edit: they have changed that page, and i am not even sure if it is the right one.
he infected hundreds of internet users with them, and they all connected to this one channel.
the grc.com guy, steve gibson, managed to get into this channel by decompiling the programs and he saw that the scipt kiddie was typing a command, such as !identify and they were alll responding with things. he could then type other commands to make them attack servers.
he did just this and attacked the grc.com server cos gibson had refered to script kiddies as script kiddies in one of his articles.
mabye you have something a long these lines? this guy had written a program that connects to irc, but eggdrop would be powerful enough to do everything that it could do with an addon module of some kind and since egdrop has all the irc connection stuff already it would make life easier
full article > http://grc.com/dos/drdos.htm
TwoSheds
edit: they have changed that page, and i am not even sure if it is the right one.
