[unisog] stacheldraht(?) infections
dmason at jeckyll.uoregon.edu
Tue Jan 29 00:20:25 GMT 2002
We discovered a solaris 8 box this morning that was compromised on friday by
something like this...
The precursor was a flood of dtspc probes to our subnet from 220.127.116.11
on Jan 25 around 11pm (PST), then a compromise on the machine in question at
0:38 on 1/26.
/usr/bin/login was modified, and a small kit was found in /var/tmp/...
containing pico and something called "m".
strings on m gave:
# strings m
usage: %s <victim> <size>
%s: unknown host
bombing %s with packets of %i bytes
/usr/dt/bin/dtspcd was missing, and there was no /usr/dt/bin/mhosts.h,
/usr/dt/bin/ appears to have been modified at 0:46, 12 minutes after the
I also didn't find /dev/ttyp...
We had about half a dozen other solaris boxes get probed but only our sole
solaris 8 box was compromised.
It looks to me that either the script setting this up failed, or it ran things
for 12 minutes, then tried to clean up after itself & move on...
On Mon, 28 Jan 2002, Paul Dokas wrote:
> Just a heads up. We've been seeing more than a few Solaris machines
> that appear to be infected with a variant of what looks like
> Basically, all of the infected machines appear to have been infected
> via the CDE subprocess control daemon (dtspcd) on 6112/TCP.
> A new version of the dtspcd daemon is put into place in /usr/dt/bin/dtspcd
> along with /usr/dt/bin/mhosts.h, a new version of /usr/bin/login
> and /usr/bin/pico. And, at least one of the hacked machines that
> I've seen also had /dev/ttyp and appeared to have a full rootkit installed.
> The new dtspcd daemon is a DDOS tool that is controlled via unsolicited
> ICMP ECHO REPLY packets. Periodically, the infected machines start spewing
> spoofed UDP floods or TCP SYN floods with source addresses within the infected
> machine's local network (or possibly just the containing /24). Other types
> of attacks appear to be possible now that I've actually recovered the tool.
> To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
> REPLY packets of 1044 bytes in length. You can also ngrep for 'skillz'
> or 'ficken'
> Paul Dokas
> OIT Security & Assurance
> University of Minnesota
> Paul Dokas dokas at cs.umn.edu
> Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
More information about the unisog