[unisog] stacheldraht(?) infections

H. Morrow Long morrow.long at yale.edu
Tue Jan 29 00:48:03 GMT 2002


We found two machines in a dept in the sciences last week
running a DDoS client which was sending out ICMP echo replies
with "skillz" in them.  I've added a Snort rule looking for
"skillz" (as well as "sicken") in ICMP packets.

- H. Morrow Long



> >
> > The new dtspcd daemon is a DDOS tool that is controlled via unsolicited
> > ICMP ECHO REPLY packets.  Periodically, the infected machines start spewing
> > spoofed UDP floods or TCP SYN floods with source addresses within the infected
> > machine's local network (or possibly just the containing /24).  Other types
> > of attacks appear to be possible now that I've actually recovered the tool.
> >
> >
> > To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
> > REPLY packets of 1044 bytes in length.  You can also ngrep for 'skillz'
> > or 'ficken'
> >
> >
> >
> > Paul Dokas
> > OIT Security & Assurance
> > University of Minnesota
> >
> > --
> > Paul Dokas                                            dokas at cs.umn.edu
> > ======================================================================
> > Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2578 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020128/6cc5e57d/smime-0007.bin


More information about the unisog mailing list