[unisog] stacheldraht(?) infections

Pete Hickey pete at shadows.uottawa.ca
Tue Jan 29 01:02:51 GMT 2002

On Mon, Jan 28, 2002 at 04:46:38PM -0600, Paul Dokas wrote:
> Just a heads up.  We've been seeing more than a few Solaris machines
> that appear to be infected with a variant of what looks like
> stacheldraht:
>   http://project.honeynet.org/papers/enemy/ddos.txt

two weeks ago, we had two linux 7.1 machines hit with this.

> The new dtspcd daemon is a DDOS tool that is controlled via unsolicited
> ICMP ECHO REPLY packets.  Periodically, the infected machines start spewing
> spoofed UDP floods or TCP SYN floods with source addresses within the infected
> machine's local network (or possibly just the containing /24).  Other types
> of attacks appear to be possible now that I've actually recovered the tool.
> To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
> REPLY packets of 1044 bytes in length.  You can also ngrep for 'skillz'
> or 'ficken'

The ping replies were coming regularly (every 5 minutes) from
193.212.204 and, on the odd chance that the
same guys have one of your machines.

Quite an intersting collections of machines that were being
attacked, too, including, lick.me.I.njoy.it, and i.am.the.god.of.ircnet.pl.
Kind of says something....

Pete Hickey               |                         |       VEIWIT
Communication Services    | Pete at mudhead.uottawa.CA |   Makers of transparent
University of Ottawa      |                         |      mirrors for
Ottawa,Ont. Canada K1N 6N5|  (613) 562-5800x1008    |       dyslexics.

More information about the unisog mailing list