Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
mirkforce
  • From: Delia Wakelin <d.wakelin@xxxxxxxxx>
  • Date: Mon, 28 Jan 2002 08:18:37 +0000 (GMT)
  • Message-id: <4affd1126ed.wakelin@xxxxxxxxx>

recently received the message below.
Is mirkforce a problem for suse ?


-->
We are currently dealing with an outbreak of hacked Linux boxes running
"Mirkforce".

Mirkforce is an IRC virus, which is spreading rapidly. We are unsure as
to
how it propagates, but essentially once a hacked linux box launches the
software, it will fill all the ips not used of the network where the
computer is located (the /24) by creating virtual aliases on the main
interface. After it will just simulate x connections from each ip, and
will
target one or more irc servers and probably be used in some action
against
some users/channels.

Computer examined were root kitted and some DDOS tools were installed
and
activated on it.

**PLEASE** search the linux servers on your network, and if you have
some
machines logging arp changes or else, try to find the server which
suddenly
stole ips from others servers. This software is probably running only on
Linux (all the versions found were for Linux). Search the linux running
recently reported holed daemons (named, rpc, ftpd, etc..) and try to
find
suspicious accesses and to reinstall/remove useless daemons. Usually the
server hacked will be one of the not listed ones, it seems that the
mirkforce is not using the primary IP of the server hacked.

Output from the help of the software

./mIRKfORCE -h

mIRKfORCE 2.o [+0wnz] by ipLord, this copy is registred to haschmannen

usage: mIRKfORCE [options]

flag <arg> : explanation [default]
--------------------------------------------
-i <interface> : Interface [eth0]
-t <secs> : h0st check timeout [7]
-h : This help (also try /help once inside)
-r : Remove all IPaliases created by mIRKfORCE
-v : Verbose mode, print common irceventz fer the klonez
-d : Debug mode (lotsa raw ircprintouts)


As always, these problems can be avoided by running properly patched and
secured machines.

Regards,

--
Dr. Delia Wakelin Tel: 44 (0) 191 227 4958
Division of Psychology email mailto:d.wakelin@xxxxxxxxx
University of Northumbria www http://www.unn.ac.uk/~evdw3
Newcastle upon Tyne
NE1 8ST



< Previous Next >
This Thread
  • No further messages