do any of you know where this is from

  • Thread starter Thread starter obi
  • Start date Start date
O

obi

NICK [GOV]-770762
USER uynjqq 0 0 :[GOV]-770762
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Found your hostname
:irc.foonet.com 001 [GOV]-770762 :Welcome to the ROXnet IRC Network
[GOV][email protected]
USERHOST [GOV]-770762
MODE [GOV]-770762 -x
JOIN #Government Agency0nly
:irc.foonet.com 002 [GOV]-770762 :Your host is irc.foonet.com, running
version Unreal3.2
:irc.foonet.com 003 [GOV]-770762 :This server was created Sat Jun 12 2004 at
18:31:45 BST
:irc.foonet.com 004 [GOV]-770762 irc.foonet.com Unreal3.2
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
:irc.foonet.com 005 [GOV]-770762 MAP KNOCK SAFELIST HCN MAXCHANNELS=10
MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307
:are supported by this server
USERHOST [GOV]-770762
MODE [GOV]-770762 -x
JOIN #Government Agency0nly
:irc.foonet.com 005 [GOV]-770762 WALLCHOPS WATCH=128 SILENCE=15 MODES=12
CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT
NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
USERHOST [GOV]-770762
MODE [GOV]-770762 -x
JOIN #Government Agency0nly
:irc.foonet.com 251 [GOV]-770762 :There are 1 users and 9007 invisible on 1
servers
:irc.foonet.com 252 [GOV]-770762 1 :operator(s) online
:irc.foonet.com 253 [GOV]-770762 7 :unknown connection(s)
:irc.foonet.com 254 [GOV]-770762 4 :channels formed
:irc.foonet.com 255 [GOV]-770762 :I have 9008 clients and 0 servers
:irc.foonet.com 265 [GOV]-770762 :Current Local Users: 9008 Max: 9990
:irc.foonet.com 266 [GOV]-770762 :Current
Global Users: 9008 Max: 9990
:irc.foonet.com 422 [GOV]-770762 :MOTD File is missing
:[GOV]-770762 MODE [GOV]-770762 :+iwx
:irc.foonet.com 302 [GOV]-770762
:[GOV][email protected]
:[GOV]-770762 MODE [GOV]-770762 :-x
:[GOV][email protected] JOIN :#Government
:irc.foonet.com 332 [GOV]-770762 #Government :^advscan lsass 100 5
0 -r -s -b
:irc.foonet.com 333 [GOV]-770762 #Government Gazza 1088167841
:irc.foonet.com 353 [GOV]-770762 * #Government :[GOV]-770762
:irc.foonet.com 366 [GOV]-770762 #Government :End of /NAMES list.
:irc.foonet.com 302 [GOV]-770762
:[GOV][email protected]
:irc.foonet.com 302 [GOV]-770762
:[GOV][email protected]
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PRIVMSG #Agent-Exploit :[lsass]: Exploiting IP: 65.6.242.56.
:irc.foonet.com 401 [GOV]-770762 #Agent-Exploit :No such nick/channel
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
NICK [GOV]-236528
USER ibvabam 0 0 :[GOV]-236528
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Found your hostname
:irc.foonet.com 001 [GOV]-236528 :Welcome to the ROXnet IRC Network
[GOV][email protected]
USERHOST [GOV]-236528




I found this information on my system....its called debug.crf....I can open
it with notepad but cannot edit. I dont like the looks of the file and
cannot delete it...
 
NICK [GOV]-770762
USER uynjqq 0 0 :[GOV]-770762
[ chomp ]
PRIVMSG #Agent-Exploit :[lsass]: Exploiting IP: 65.6.242.56.
[ chomp ]

I found this information on my system....its called debug.crf....I can open
it with notepad but cannot edit. I dont like the looks of the file and
cannot delete it...
Click to expand...

It looks like your system is being used by someone to spread a backdoor
that exploits the lsass vulnerability :( . Get a firewall that blocks
outgoing connections immediately. Zonealarm, Sygate, Kerio, Norton and
many others will do.

Connect your pc to the internet only long enough to get the information
and software you need to clean this malware from your computer. Please
contact your isp and seek any help that they may have. Show them the file
that you found.

The firewall is the first, most important thing because it prevents the
intruder from taking control of your machine. After the firewall is in
place, get the software to clean you up.

Software firewall links:
http://www.zonelabs.com/store/content/home.jsp
http://www.kerio.com/kpf_home.html
http://smb.sygate.com/products/spf/spf_ov.htm

Spyware detection and cleanup programs:
http://www.safer-networking.org/
http://vil.nai.com/vil/stinger/
http://www.lavasoftusa.com/software/adaware/

More useful info.:
http://www.claymania.com/safe-hex.html
http://www.sans.org/rr/papers/index.php?id=1298
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Please come back and tell us what malware created this file if you find
out.
 
On that special day, obi, ([email protected]) said...
:irc.foonet.com 002 [GOV]-770762 :Your host is irc.foonet.com, running
version Unreal3.2
:irc.foonet.com 003 [GOV]-770762 :This server was created Sat Jun 12 2004 at
18:31:45 BST
:irc.foonet.com 004 [GOV]-770762 irc.foonet.com Unreal3.2
Click to expand...

Are you running a server program, to host Unreal or similar shooter
games? If not, there is something *very* weird going on on your machine.


Gabriele Neukam

(e-mail address removed)
 
Gabriele Neukam said:
On that special day, obi, ([email protected]) said...
:irc.foonet.com 002 [GOV]-770762 :Your host is irc.foonet.com, running
version Unreal3.2
:irc.foonet.com 003 [GOV]-770762 :This server was created Sat Jun 12 2004 at
18:31:45 BST
:irc.foonet.com 004 [GOV]-770762 irc.foonet.com Unreal3.2
Click to expand...

Are you running a server program, to host Unreal or similar shooter
games? If not, there is something *very* weird going on on your machine.
Click to expand...

Looks like http://www.vulnscan.org/unreal.html to me.
 
Thanks for the help all of you...got the firewall and got the spyware...I
knew something wasn't right with that file...
Fik said:
On that special day, obi, ([email protected]) said...
:irc.foonet.com 002 [GOV]-770762 :Your host is irc.foonet.com, running
version Unreal3.2
:irc.foonet.com 003 [GOV]-770762 :This server was created Sat Jun 12 2004 at
18:31:45 BST
:irc.foonet.com 004 [GOV]-770762 irc.foonet.com Unreal3.2
Click to expand...

Are you running a server program, to host Unreal or similar shooter
games? If not, there is something *very* weird going on on your machine.
Click to expand...

Looks like http://www.vulnscan.org/unreal.html to me.
Click to expand...
 
I found this information on my system....its called debug.crf....I
Click to expand...

And WHY DID YOU POST ALL OF IT instead of only the headers?
You're spamming. FWD to kill-file.
Horst.
 
I only posted a portion of it thank you....and it was a copy of what the
file had in it...not the file itself
 
Back
Top