[unisog] stacheldraht(?) infections
H. Morrow Long
morrow.long at yale.edu
Tue Jan 29 00:48:03 GMT 2002
We found two machines in a dept in the sciences last week
running a DDoS client which was sending out ICMP echo replies
with "skillz" in them. I've added a Snort rule looking for
"skillz" (as well as "sicken") in ICMP packets.
- H. Morrow Long
> > The new dtspcd daemon is a DDOS tool that is controlled via unsolicited
> > ICMP ECHO REPLY packets. Periodically, the infected machines start spewing
> > spoofed UDP floods or TCP SYN floods with source addresses within the infected
> > machine's local network (or possibly just the containing /24). Other types
> > of attacks appear to be possible now that I've actually recovered the tool.
> > To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
> > REPLY packets of 1044 bytes in length. You can also ngrep for 'skillz'
> > or 'ficken'
> > Paul Dokas
> > OIT Security & Assurance
> > University of Minnesota
> > --
> > Paul Dokas dokas at cs.umn.edu
> > ======================================================================
> > Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2578 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020128/6cc5e57d/smime-0007.bin
More information about the unisog