stacheldraht(?) infections

Paul Dokas dokas at cs.umn.edu
Mon Jan 28 22:46:38 GMT 2002


Just a heads up.  We've been seeing more than a few Solaris machines
that appear to be infected with a variant of what looks like
stacheldraht:

  http://project.honeynet.org/papers/enemy/ddos.txt


Basically, all of the infected machines appear to have been infected
via the CDE subprocess control daemon (dtspcd) on 6112/TCP.

A new version of the dtspcd daemon is put into place in /usr/dt/bin/dtspcd
along with /usr/dt/bin/mhosts.h, a new version of /usr/bin/login
and /usr/bin/pico.  And, at least one of the hacked machines that
I've seen also had /dev/ttyp and appeared to have a full rootkit installed.


The new dtspcd daemon is a DDOS tool that is controlled via unsolicited
ICMP ECHO REPLY packets.  Periodically, the infected machines start spewing
spoofed UDP floods or TCP SYN floods with source addresses within the infected
machine's local network (or possibly just the containing /24).  Other types
of attacks appear to be possible now that I've actually recovered the tool.


To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
REPLY packets of 1044 bytes in length.  You can also ngrep for 'skillz'
or 'ficken'



Paul Dokas
OIT Security & Assurance
University of Minnesota

-- 
Paul Dokas                                            dokas at cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 229 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020128/7f9b78ed/attachment-0006.bin


More information about the unisog mailing list