dokas at cs.umn.edu
Mon Jan 28 22:46:38 GMT 2002
Just a heads up. We've been seeing more than a few Solaris machines
that appear to be infected with a variant of what looks like
Basically, all of the infected machines appear to have been infected
via the CDE subprocess control daemon (dtspcd) on 6112/TCP.
A new version of the dtspcd daemon is put into place in /usr/dt/bin/dtspcd
along with /usr/dt/bin/mhosts.h, a new version of /usr/bin/login
and /usr/bin/pico. And, at least one of the hacked machines that
I've seen also had /dev/ttyp and appeared to have a full rootkit installed.
The new dtspcd daemon is a DDOS tool that is controlled via unsolicited
ICMP ECHO REPLY packets. Periodically, the infected machines start spewing
spoofed UDP floods or TCP SYN floods with source addresses within the infected
machine's local network (or possibly just the containing /24). Other types
of attacks appear to be possible now that I've actually recovered the tool.
To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
REPLY packets of 1044 bytes in length. You can also ngrep for 'skillz'
OIT Security & Assurance
University of Minnesota
Paul Dokas dokas at cs.umn.edu
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 229 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020128/7f9b78ed/attachment-0006.bin
More information about the unisog