[unisog] stacheldraht(?) infections

Circuit Man dmason at jeckyll.uoregon.edu
Tue Jan 29 00:20:25 GMT 2002


We discovered a solaris 8 box this morning that was compromised on friday by
something like this...

The precursor was a flood of dtspc probes to our subnet from 62.131.212.41
on Jan 25 around 11pm (PST), then a compromise on the machine in question at
0:38 on 1/26.

/usr/bin/login was modified, and a small kit was found in /var/tmp/...
containing pico and something called "m".  

strings on m gave:

# strings m
milk v0.1a[milkweed]
usage: %s <victim> <size>
%s: unknown host
bombing %s with packets of %i bytes
ignoring

/usr/dt/bin/dtspcd was missing, and there was no /usr/dt/bin/mhosts.h,
/usr/dt/bin/ appears to have been modified at 0:46, 12 minutes after the
compromise.

I also didn't find /dev/ttyp...

We had about half a dozen other solaris boxes get probed but only our sole
solaris 8 box was compromised.  

It looks to me that either the script setting this up failed, or it ran things
for 12 minutes, then tried to clean up after itself & move on...

--Dave

On Mon, 28 Jan 2002, Paul Dokas wrote:

> 
> Just a heads up.  We've been seeing more than a few Solaris machines
> that appear to be infected with a variant of what looks like
> stacheldraht:
> 
>   http://project.honeynet.org/papers/enemy/ddos.txt
> 
> 
> Basically, all of the infected machines appear to have been infected
> via the CDE subprocess control daemon (dtspcd) on 6112/TCP.
> 
> A new version of the dtspcd daemon is put into place in /usr/dt/bin/dtspcd
> along with /usr/dt/bin/mhosts.h, a new version of /usr/bin/login
> and /usr/bin/pico.  And, at least one of the hacked machines that
> I've seen also had /dev/ttyp and appeared to have a full rootkit installed.
> 
> 
> The new dtspcd daemon is a DDOS tool that is controlled via unsolicited
> ICMP ECHO REPLY packets.  Periodically, the infected machines start spewing
> spoofed UDP floods or TCP SYN floods with source addresses within the infected
> machine's local network (or possibly just the containing /24).  Other types
> of attacks appear to be possible now that I've actually recovered the tool.
> 
> 
> To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
> REPLY packets of 1044 bytes in length.  You can also ngrep for 'skillz'
> or 'ficken'
> 
> 
> 
> Paul Dokas
> OIT Security & Assurance
> University of Minnesota
> 
> -- 
> Paul Dokas                                            dokas at cs.umn.edu
> ======================================================================
> Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
> 


More information about the unisog mailing list