Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
RE: [suse-security] mirkforce
  • From: christian.burri@xxxxxxxxxx
  • Date: Mon, 28 Jan 2002 10:18:22 +0100
  • Message-id: <OFAF5710A3.E322E78E-ONC1256B4F.00330AE9@xxxxxxxxxx>

Mirkforce is **NOT** a virus, ie, it doesnt replicate itself, it does not
Rather than that, mirkforce is a "clone flooder" type IRC client that will
heaps of virtual interfaces on youre box and make clones join IRC thru
them (it will typically try to load as much interfaces as possible in your
local class C subnet.)

I repeat: Mirkforce is NOT a virus Dont spread false and inaccurate info,

Mirkforce may however be part of or contained in <insert your favorite
rootkit name here>


/v\ L I N U X
// \\ >I know KungFu!!<
/( )\

Delia Wakelin
<d.wakelin@un An: suse-security@xxxxxxxx> Kopie:
Thema: [suse-security] mirkforce

recently received the message below.
Is mirkforce a problem for suse ?

We are currently dealing with an outbreak of hacked Linux boxes running

Mirkforce is an IRC virus, which is spreading rapidly. We are unsure as
how it propagates, but essentially once a hacked linux box launches the
software, it will fill all the ips not used of the network where the
computer is located (the /24) by creating virtual aliases on the main
interface. After it will just simulate x connections from each ip, and
target one or more irc servers and probably be used in some action
some users/channels.

Computer examined were root kitted and some DDOS tools were installed
activated on it.

**PLEASE** search the linux servers on your network, and if you have
machines logging arp changes or else, try to find the server which
stole ips from others servers. This software is probably running only on
Linux (all the versions found were for Linux). Search the linux running
recently reported holed daemons (named, rpc, ftpd, etc..) and try to
suspicious accesses and to reinstall/remove useless daemons. Usually the
server hacked will be one of the not listed ones, it seems that the
mirkforce is not using the primary IP of the server hacked.

Output from the help of the software

./mIRKfORCE -h

mIRKfORCE 2.o [+0wnz] by ipLord, this copy is registred to haschmannen

usage: mIRKfORCE [options]

flag <arg> : explanation [default]
-i <interface> : Interface [eth0]
-t <secs> : h0st check timeout [7]
-h : This help (also try /help once inside)
-r : Remove all IPaliases created by mIRKfORCE
-v : Verbose mode, print common irceventz fer the klonez
-d : Debug mode (lotsa raw ircprintouts)

As always, these problems can be avoided by running properly patched and
secured machines.


Dr. Delia Wakelin Tel: 44 (0) 191 227 4958
Division of Psychology email mailto:d.wakelin@xxxxxxxxx
University of Northumbria www
Newcastle upon Tyne

To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >
This Thread
  • No further messages