Rooted, new DDoS also

[Philip Champon <pchampon () GONK VALUEWEB NET>]

On Nov 26, 2000 06:02 EST, a box of ours was rooted via in.ftpd. The most
interesting thing about this is the daemon he left behind. I searched all of
the archives on securityfocus and packetstorm and nothing on this has turned
up... the daemon is spsiod. Here are the signs:


udp port 3214 is active

a file with the following properties
         /var/spool/spsiod exists and is executable
         MD5 sum 6c530ee2f9ec80ace17c4cd50b455d9d
         a process by the name of spsiod running
         the owner of the process is an illigitemate user (ours was #54323)

An entry at the bottom of /etc/rc.d/rc.local (on redhat and va linux)
         /var/spool/spsiod

The following logs were zeroed out
        /var/log/spooler
        /var/log/httpd/access_log
        /var/log/httpd/access_log.1
        /var/log/xferlog
        /var/log/xferlog
        /var/log/spooler.1
        /var/log/spooler.1
        /var/log/boot.log.1
        /var/log/boot.log.1
        /var/log/xferlog.1
        /var/log/xferlog.1
        /var/log/spooler.2
        /var/log/spooler.2

The last 4 lines of the string binary are:
     Hi! If you are reading this, you have string finding skills so must be trying
     to figure out how my toy works, and who wrote it. Well I remain Anonymous..
     The most advanced DDoS daemon to date.. should have a cool name..
     How about.. SmallPenisSyndrome.. lets see you say that on the news!

More info (binary, md5 sum of said binary etc) is available at:
http://www.phess.org/spsiod/index.html


--
Philip Champon Valueweb Developer
Ph - 954-334-8156
Em - pchampon () valueweb net