[unisog] stacheldraht(?) infections

H. Morrow Long morrow.long at yale.edu
Tue Jan 29 03:14:16 GMT 2002


Paul Dokas wrote:
> To find infected machines, I'd suggest looking for unsolicited ICMP ECHO
> REPLY packets of 1044 bytes in length.  You can also ngrep for 'skillz'
> or 'ficken'

The following SNORT rules work as well (you could even narrow them down
to the specific ICMP type for ICMP ECHO REPLY to make them more efficient) :

#
# DDoS agents
#
alert icmp any any -> any any (msg:"DDoS Ping Cmd skillz"; content:"skillz";) 
alert icmp any any -> any any (msg:"DDoS Ping Cmd ficken"; content:"ficken";) 
#

Also, you probably want to add the following to Snort (put in your nets) this week :

#
#  Kill (reset) incoming TCP connections to dtspc port
#
alert tcp any any -> 128.36.0.0/16 6112 (msg: "dtspc block"; flags: S; resp:rst_all; )
alert tcp any any -> 130.132.0.0/16 6112 (msg: "dtspc block"; flags: S; resp:rst_all; )

And:

#
# MyParty worm Trojan covert communication accessing remote website.
#
alert tcp any any -> 209.151.250.170 80 (msg:"Myparty worm"; flags: S; )
#

- H. Morrow Long
  University Information Security Officer
  Yale Univ., ITS, Dir. InfoSec Office
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2578 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020128/0b815540/smime-0007.bin


More information about the unisog mailing list