Eggdrop Attacks Credit Card Company

A cracker apparently compromised and installed a bot that could be used as a DDoS client on several hundred servers belonging to customers of a large credit card processing company.

CCBill LLC late last month said in an e-mail message sent to customers that the companys security had been breached and that customer passwords and user names had been exposed during the attack. The company, based in Tempe, Ariz., processes online credit card transactions.

The attack was first disclosed in SecurityFocus.coms Incidents mailing list in several posts by the owner of a Web hosting company that deals with CCBill.

According to posts by Dayne Jordan of CompleteWeb, Jordan discovered the attack after one of his customers complained that someone had hacked one of its servers and installed a bot known as “Eggdrop.”

Jordan checked his companys servers and found six compromised boxes. He then checked with several other hosting companies that were CCBill customers; all of them had compromised servers.

Some CCBill customers sent CCBill their user names and passwords so that company representatives could log in remotely and update scripts and other software needed to process transactions. These log-ins are typically done via Telnet or SSH.

In the e-mail to customers, CCBill CEO Ron Cadwell said that the compromised customer servers were running either Unix or Linux. Cadwell encouraged customers to change their user names and passwords and scan their machines for the Eggdrop client. He also said CCBill had corrected the problem and that no other systems were compromised.

Cadwell said that only “a minimal percentage” of CCBills customer servers were compromised. But Jordan reported counting 1,200 Eggdrop bots in an IRC (Internet Relay Chat) chat room awaiting instructions.

The Eggdrop program is a well-known bot favored by thousands of IRC users. Like many bots, it was designed as a means of protecting private IRC channels and preventing other users from usurping them. However, crackers and script kiddies install bots on compromised machines for use in DDoS (distributed-denial-of-service) attacks. Eggdrop isnt often used in this capacity, though, said one DDoS expert, which may mean the cracker had other intentions.

“Eggdrop is a pretty popular bot because it seems to be one of the easier ones to configure,” said Dave Dittrich, senior security engineer at the University of Washington, in Seattle, and a widely recognized authority on DDoS attacks. “Its not used much in attacks. If he was looking to use it for an attack, putting that many bots on one network isnt the smartest way to do it. You would lose the whole network rather easily if the company finds the problem, which they did.”