Re: [nsp] UDP 1015

From: dhudson (dhudson@pilot.net)
Date: Tue Nov 14 2000 - 14:08:38 EST


Angelo Neacsu wrote:
>
> I get this on my logs:
>
> list 143 denied udp 192.168.102.1(1015) (Ethernet1/0 0060.520b.5a77) ->
> 255.255.255.255(1015), 726 packets
>
> Why ?
> Is this an attack from a spoofed IP ?
>
> ---
> Angelo Neacsu
> Mediafax
>
> "If you want to travel around the world and be invited to speak at a lot
> of different places, just write a Unix operating system."
> (By Linus Torvalds)

no, this is a trojan attempting to use to bcast for a
listener.

here's some info in the exploit...

Name:
         Doly Trojan
 Aliases:
 Ports:
         21, 1010, 1011, 1012, 1015, 1016, 2345
 Files:
         Doly1.2.zip - 3,977,753 bytes Doly135.zip - 5,942,944 bytes Doly15.zip -
4,348,735 bytes Doly16.zip -
         2,627,852 bytes Doly_Trojan_v17.zip - 842,982 bytes Doly17_Server.zip -
172,912 bytes Doly2.0.zip -
         Send_to_victim.zip - 2,386,049 bytes Sen
 Created:
         April 1999
 Requires:
         Vbrun60.exe - is required to run Dhacker.exe.
 Actions:
         Remote Access / Keylogger / IRC trojan
         Doly is hidden in several different programs: in Memory Manager, in an
Interactive Game, and in a
         Downloading program.
 Versions:
         1.1, 1.2, 1.21, 1.3, 1.35, 1.5, 1.6, 1.7, 1.7 [SE], 2.0beta,
 Registers:
         HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
         HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
         HKEY_USER/.Default/Software/Marabilis/ICQ/Agent/Apps/
 Notes:
         Works on Windows 95 and 98. Dhacker.exe is a Doly 1.6 password cracker
and Vbrun60.exe is only needed if
         you want to run it (written in Visual Basic 6). Paster Password for 1.6
and 1.7 is
 Country:
         written in Israel
 Program:
         Written in Visual Basic 6.

-- 

--------------------------------------------------- my lord tzu, running away is the first martial tao archery sifu to sun tzu ---------------------------------------------------



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:21 EDT