DoS Trojan on Solaris

[rpadilla () GSU EDU (Roderick Padilla)]

We received e-mail from an Admin in Brazil saying that one of his routers
was under a DoS attack from one of my Solaris 2.6 boxes.

We found a process called "milk" was running which was doing the DoS. The
IP that was targeted was the one that we were told about. There was also
another instance of "milk" that was running and targeting another IP from
Brazil's backbone networks.

It was discovered that the following programs had trojan replacements:
/usr/lib/nfs/lockd
/usr/lib/nfs/statd
/usr/openwin/bin/rpc.ttdbserverd
/usr/bin/login
/usr/bin/ps
/usr/bin/inetd
/usr/sbin/in.rlogind
/usr/sbin/login

Although some of the timestamps for these programs had been forged, they
all shared a creation time within one second, so we assume this was when
the breakin occurred. We had another breakin in another non-related
department on the same day that had many of the same fingerprints, so it is
likely they were done by the same person(s).

The trojan for /usr/lib/nfs/lockd was listening on port 20000. There was an
active connection from an IP to that port at the time our security person
began looking at the box, so it is possible this is where the hacker came
from (or at least was the last place he came in from).

/usr/ccs/... contained some programs that were his sniffer, DoS attacker,
etc. The users of our Solaris box rebooted every couple of days because it
would get very slow. We now know the lockd process respawning the DoS
program (which used up lots of CPU) was slowing it down.

Anybody with info on this please? Thanks!

Roderick Padilla                             Office:(404) 651-3832
Systems & Network Administrator Fax:   (404) 651-3842
http://www.cis.gsu.edu/~rpadilla                Email: rpadilla () gsu edu

Department of Computer Information Systems
J. Mack Robinson College of Business
Georgia State University
PO Box 4015
Atlanta, Georgia, USA  30302-4015