Re: Possible DDos Network Creation with ssh crc exploit

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On 13 Nov 2001, Mike Grantham wrote:

> Conclusion:
>   While I have not had time to disassemble these
> binaries or test to see what they do
>   I suspect someone is setting up a DDos network, I
> also suspect that a script has done this
>   due to the file times being all within the same minute.

aside from the carko binary you found, do you have any other evidence that
its a DDoS ring? is this a terminal node or a staging node? you found only
binaries, so it was probably a terminal node. however if someone has a
rootkit that sends carko along (or someone stole some tools and carko was
one of 'em) then thats a possibly invalid conclusion.

> If anyone would like to have a look at these files
> please email me and I will send them to you.

i am interested, specifically in a dd of the drive. we'll chat more
offline if you want to pursue this. bear in mind your site policies may
prevent you from sharing data with outsiders, so check as appropriate.

good luck, and thanks for the heads up.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com