Information Security News mailing list archives
DDoS attack targets chat, Linux boxes
From: William Knowles <wk () C4I ORG>
Date: Tue, 5 Sep 2000 17:56:52 -0500
http://www.zdnet.com/zdnn/stories/news/0,4586,2624180,00.html?chkpt=zdhpnews01 By Scott Berinato, eWEEK September 5, 2000 9:37 AM PT A new distributed denial of service tool has been discovered in the wild and is spreading, according to Internet Security Systems Inc.'s X-Force service. Reports of up to 400 hosts running the "Trinity v3" agent have been reported, including 50 compromised IRC (Internet Relay Chat) hosts, said Chris Rouland, director of X-Force. Rouland said no high-profile commerce sites have been reported down yet, but "one or two" universities have been affected. He would not disclose the identities of the schools. "Using chat for attacks is a trend; chat in general is Internet-risky behavior," Rouland said. "It's fairly anonymous for an attacker to go onto a chat system and launch attacks, and anyone who can access this new chat room that Trinity v3 creates can launch further attacks." Trinity v3 so far has been seen on Linux machines. The binary code is installed on a Linux server at /usr/lib/idle.so. When idle.so is launched, it connects to one of 11 Undernet IRC servers and sets a nickname for itself (which combines the first six letters of the host with three random digits). The code then joins the chat room #b3eblebr0x. Once there, the code waits for commands to attack either individual Trinity agents or to attack all agents on the channel. Trinity v3, Rouland said, is capable of setting eight types of flood attacks that can be sent for any length of time. The code also puts another binary on affected systems at var/spool/uucp/uucico, which looks similar to a real file at usr/lib/uucico but is different. The rogue code simply listens to port 33270 for connections and then attempts to get root shell access when someone logs on. More information on the attack, along with precautions to take, can be found at: http://xforce.iss.net *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- DDoS attack targets chat, Linux boxes William Knowles (Sep 05)
- Re: DDoS attack targets chat, Linux boxes Aleph One (Sep 07)