Security Incidents mailing list archives
Rooted, new DDoS also
From: Philip Champon <pchampon () GONK VALUEWEB NET>
Date: Thu, 30 Nov 2000 14:06:15 -0500
On Nov 26, 2000 06:02 EST, a box of ours was rooted via in.ftpd. The most interesting thing about this is the daemon he left behind. I searched all of the archives on securityfocus and packetstorm and nothing on this has turned up... the daemon is spsiod. Here are the signs: udp port 3214 is active a file with the following properties /var/spool/spsiod exists and is executable MD5 sum 6c530ee2f9ec80ace17c4cd50b455d9d a process by the name of spsiod running the owner of the process is an illigitemate user (ours was #54323) An entry at the bottom of /etc/rc.d/rc.local (on redhat and va linux) /var/spool/spsiod The following logs were zeroed out /var/log/spooler /var/log/httpd/access_log /var/log/httpd/access_log.1 /var/log/xferlog /var/log/xferlog /var/log/spooler.1 /var/log/spooler.1 /var/log/boot.log.1 /var/log/boot.log.1 /var/log/xferlog.1 /var/log/xferlog.1 /var/log/spooler.2 /var/log/spooler.2 The last 4 lines of the string binary are: Hi! If you are reading this, you have string finding skills so must be trying to figure out how my toy works, and who wrote it. Well I remain Anonymous.. The most advanced DDoS daemon to date.. should have a cool name.. How about.. SmallPenisSyndrome.. lets see you say that on the news! More info (binary, md5 sum of said binary etc) is available at: http://www.phess.org/spsiod/index.html -- Philip Champon Valueweb Developer Ph - 954-334-8156 Em - pchampon () valueweb net
Current thread:
- Rooted, new DDoS also Philip Champon (Dec 01)
- Re: Rooted, new DDoS also Michal Zalewski (Dec 02)
- Re: Rooted, new DDoS also Super-User (Dec 09)