Security Incidents mailing list archives

Re: DoS Trojan on Solaris

From: rmueller () UU NET (Ross Mueller)
Date: Wed, 2 Feb 2000 16:01:02 -0500


most likely statd/ttdbserverd weren't trojaned, just replaced with
patched versions, hence the reasons that sizes and checksums were
different.....

..ross
0x75,0x75,0x6e,0x65,0x74

On Wed, 2 Feb 2000, Roderick Padilla wrote:

We received e-mail from an Admin in Brazil saying that one of his routers
was under a DoS attack from one of my Solaris 2.6 boxes.

We found a process called "milk" was running which was doing the DoS. The
IP that was targeted was the one that we were told about. There was also
another instance of "milk" that was running and targeting another IP from
Brazil's backbone networks.

It was discovered that the following programs had trojan replacements:
/usr/lib/nfs/lockd
/usr/lib/nfs/statd
/usr/openwin/bin/rpc.ttdbserverd
/usr/bin/login
/usr/bin/ps
/usr/bin/inetd
/usr/sbin/in.rlogind
/usr/sbin/login

Although some of the timestamps for these programs had been forged, they
all shared a creation time within one second, so we assume this was when
the breakin occurred. We had another breakin in another non-related
department on the same day that had many of the same fingerprints, so it is
likely they were done by the same person(s).

The trojan for /usr/lib/nfs/lockd was listening on port 20000. There was an
active connection from an IP to that port at the time our security person
began looking at the box, so it is possible this is where the hacker came
from (or at least was the last place he came in from).

/usr/ccs/... contained some programs that were his sniffer, DoS attacker,
etc. The users of our Solaris box rebooted every couple of days because it
would get very slow. We now know the lockd process respawning the DoS
program (which used up lots of CPU) was slowing it down.

Anybody with info on this please? Thanks!

Roderick Padilla                           Office:(404) 651-3832
Systems & Network Administrator       Fax:   (404) 651-3842
http://www.cis.gsu.edu/~rpadilla              Email: rpadilla () gsu edu

Department of Computer Information Systems
J. Mack Robinson College of Business
Georgia State University
PO Box 4015
Atlanta, Georgia, USA  30302-4015

Current thread:

Re: probe backs? was Re: [INCIDENTS] Korea Rob Quinn (Jan 31)
- <Possible follow-ups>
- Re: probe backs? was Re: [INCIDENTS] Korea Matthew Pemble (Feb 01)
  - Re: probe backs? was Re: [INCIDENTS] Korea Pavel Kankovsky (Feb 02)
  - DoS Trojan on Solaris Roderick Padilla (Feb 02)
    - Re: DoS Trojan on Solaris Ross Mueller (Feb 02)
    - Re: DoS Trojan on Solaris David Brumley (Feb 02)
    - Interesting Probe Rick Magill (Feb 03)
    - Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
    - Re: DoS Trojan on Solaris Data_surge (Feb 04)
    - Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
    - Compromised... Steve Logan (Feb 07)
    - Re: Compromised... David Bernick (Feb 07)
    - Re: Compromised... Japheth (Feb 07)
    - Re: Compromised... Simon Britnell (Feb 08)
    - Re: Compromised... technot (Feb 09)

(Thread continues...)