Mirkforce is **NOT** a virus, ie, it doesnt replicate itself, it does not
"propagate".
Rather than that, mirkforce is a "clone flooder" type IRC client that will
load
heaps of virtual interfaces on youre box and make clones join IRC thru
them (it will typically try to load as much interfaces as possible in your
local class C subnet.)
I repeat: Mirkforce is NOT a virus Dont spread false and inaccurate info,
please.
Mirkforce may however be part of or contained in <insert your favorite
rootkit name here>
Cheers
Chris
.-.
/v\ L I N U X
// \\ >I know KungFu!!<
/( )\
^^-^^
Delia Wakelin
Kopie:
Thema: [suse-security] mirkforce
28.01.2002
09:18
recently received the message below.
Is mirkforce a problem for suse ?
-->
We are currently dealing with an outbreak of hacked Linux boxes running
"Mirkforce".
Mirkforce is an IRC virus, which is spreading rapidly. We are unsure as
to
how it propagates, but essentially once a hacked linux box launches the
software, it will fill all the ips not used of the network where the
computer is located (the /24) by creating virtual aliases on the main
interface. After it will just simulate x connections from each ip, and
will
target one or more irc servers and probably be used in some action
against
some users/channels.
Computer examined were root kitted and some DDOS tools were installed
and
activated on it.
**PLEASE** search the linux servers on your network, and if you have
some
machines logging arp changes or else, try to find the server which
suddenly
stole ips from others servers. This software is probably running only on
Linux (all the versions found were for Linux). Search the linux running
recently reported holed daemons (named, rpc, ftpd, etc..) and try to
find
suspicious accesses and to reinstall/remove useless daemons. Usually the
server hacked will be one of the not listed ones, it seems that the
mirkforce is not using the primary IP of the server hacked.
Output from the help of the software
./mIRKfORCE -h
mIRKfORCE 2.o [+0wnz] by ipLord, this copy is registred to haschmannen
usage: mIRKfORCE [options]
flag <arg> : explanation [default]
--------------------------------------------
-i <interface> : Interface [eth0]
-t <secs> : h0st check timeout [7]
-h : This help (also try /help once inside)
-r : Remove all IPaliases created by mIRKfORCE
-v : Verbose mode, print common irceventz fer the klonez
-d : Debug mode (lotsa raw ircprintouts)
As always, these problems can be avoided by running properly patched and
secured machines.
Regards,
--
Dr. Delia Wakelin Tel: 44 (0) 191 227 4958
Division of Psychology email mailto:d.wakelin@unn.ac.uk
University of Northumbria www http://www.unn.ac.uk/~evdw3
Newcastle upon Tyne
NE1 8ST
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
