[unisog] stacheldraht(?) infections
H. Morrow Long
morrow.long at yale.edu
Tue Jan 29 03:14:16 GMT 2002
Paul Dokas wrote:
> To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
> REPLY packets of 1044 bytes in length. You can also ngrep for 'skillz'
> or 'ficken'
The following SNORT rules work as well (you could even narrow them down
to the specific ICMP type for ICMP ECHO REPLY to make them more efficient) :
# DDoS agents
alert icmp any any -> any any (msg:"DDoS Ping Cmd skillz"; content:"skillz";)
alert icmp any any -> any any (msg:"DDoS Ping Cmd ficken"; content:"ficken";)
Also, you probably want to add the following to Snort (put in your nets) this week :
# Kill (reset) incoming TCP connections to dtspc port
alert tcp any any -> 126.96.36.199/16 6112 (msg: "dtspc block"; flags: S; resp:rst_all; )
alert tcp any any -> 188.8.131.52/16 6112 (msg: "dtspc block"; flags: S; resp:rst_all; )
# MyParty worm Trojan covert communication accessing remote website.
alert tcp any any -> 184.108.40.206 80 (msg:"Myparty worm"; flags: S; )
- H. Morrow Long
University Information Security Officer
Yale Univ., ITS, Dir. InfoSec Office
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2578 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020128/0b815540/smime-0007.bin
More information about the unisog