| Revision as of 01:23, 6 August 2004 editTimwi (talk | contribs)Administrators32,135 editsm bold← Previous edit | Revision as of 21:00, 6 August 2004 edit undoRedWolf (talk | contribs)Autopatrolled, Administrators94,877 editsm Robot-assisted disambiguation: PortugueseNext edit → | ||
| Line 1: | Line 1: | ||
| '''Doze4''' is an ] ], often left behind by ] after a successful ]. Once deployed, it seems to connect to ], waiting for commands from its owner. A typical use is for ], sending the string "0123456789" over and over again to remote hosts; the program seems to have few other uses. | '''Doze4''' is an ] ], often left behind by ] after a successful ]. Once deployed, it seems to connect to ], waiting for commands from its owner. A typical use is for ], sending the string "0123456789" over and over again to remote hosts; the program seems to have few other uses. | ||
| The source code for Doze4 does not seem to be readily available (only a ] ] binary is known); however, the program is small and does not appear to be encrypted, so disassembling it should be fairly easy given enough time and interest. The commands and help appear to be written in ], containing brief online help; the strings within the binary seem to claim Doze4 was written by a person with the alias "phyton". | The source code for Doze4 does not seem to be readily available (only a ] ] binary is known); however, the program is small and does not appear to be encrypted, so disassembling it should be fairly easy given enough time and interest. The commands and help appear to be written in ], containing brief online help; the strings within the binary seem to claim Doze4 was written by a person with the alias "phyton". | ||
| Doze4 seems to a generic "off-the-shelf" tool (which is probably why it has become popular among script kiddies), in that it does not require any recompilation or tweaking to work; once deployed, it can be customized via command-line parameters to attack any host on any given port, also with a claim of ]; however, it is not generally known what this spoofing means in practice, let alone if it works at all. | Doze4 seems to a generic "off-the-shelf" tool (which is probably why it has become popular among script kiddies), in that it does not require any recompilation or tweaking to work; once deployed, it can be customized via command-line parameters to attack any host on any given port, also with a claim of ]; however, it is not generally known what this spoofing means in practice, let alone if it works at all. | ||
Revision as of 21:00, 6 August 2004
Doze4 is an IRC drone, often left behind by script kiddies after a successful server crack. Once deployed, it seems to connect to BRASnet, waiting for commands from its owner. A typical use is for distributed denial-of-service attacks, sending the string "0123456789" over and over again to remote hosts; the program seems to have few other uses.
The source code for Doze4 does not seem to be readily available (only a Linux i386 binary is known); however, the program is small and does not appear to be encrypted, so disassembling it should be fairly easy given enough time and interest. The commands and help appear to be written in Portuguese, containing brief online help; the strings within the binary seem to claim Doze4 was written by a person with the alias "phyton".
Doze4 seems to a generic "off-the-shelf" tool (which is probably why it has become popular among script kiddies), in that it does not require any recompilation or tweaking to work; once deployed, it can be customized via command-line parameters to attack any host on any given port, also with a claim of spoofing; however, it is not generally known what this spoofing means in practice, let alone if it works at all.
System administrators encountering doze4 running on their own systems should use lsof to find out who the program is attacking (if any), do any required tracking work to identify the hole the attacker used and then kill off all doze4 processes as soon as possible.