Security Incidents mailing list archives
Re: DoS Trojan on Solaris
From: rmueller () UU NET (Ross Mueller)
Date: Wed, 2 Feb 2000 16:01:02 -0500
most likely statd/ttdbserverd weren't trojaned, just replaced with patched versions, hence the reasons that sizes and checksums were different..... ..ross 0x75,0x75,0x6e,0x65,0x74 On Wed, 2 Feb 2000, Roderick Padilla wrote:
We received e-mail from an Admin in Brazil saying that one of his routers was under a DoS attack from one of my Solaris 2.6 boxes. We found a process called "milk" was running which was doing the DoS. The IP that was targeted was the one that we were told about. There was also another instance of "milk" that was running and targeting another IP from Brazil's backbone networks. It was discovered that the following programs had trojan replacements: /usr/lib/nfs/lockd /usr/lib/nfs/statd /usr/openwin/bin/rpc.ttdbserverd /usr/bin/login /usr/bin/ps /usr/bin/inetd /usr/sbin/in.rlogind /usr/sbin/login Although some of the timestamps for these programs had been forged, they all shared a creation time within one second, so we assume this was when the breakin occurred. We had another breakin in another non-related department on the same day that had many of the same fingerprints, so it is likely they were done by the same person(s). The trojan for /usr/lib/nfs/lockd was listening on port 20000. There was an active connection from an IP to that port at the time our security person began looking at the box, so it is possible this is where the hacker came from (or at least was the last place he came in from). /usr/ccs/... contained some programs that were his sniffer, DoS attacker, etc. The users of our Solaris box rebooted every couple of days because it would get very slow. We now know the lockd process respawning the DoS program (which used up lots of CPU) was slowing it down. Anybody with info on this please? Thanks! Roderick Padilla Office:(404) 651-3832 Systems & Network Administrator Fax: (404) 651-3842 http://www.cis.gsu.edu/~rpadilla Email: rpadilla () gsu edu Department of Computer Information Systems J. Mack Robinson College of Business Georgia State University PO Box 4015 Atlanta, Georgia, USA 30302-4015
Current thread:
- Re: probe backs? was Re: [INCIDENTS] Korea Rob Quinn (Jan 31)
- <Possible follow-ups>
- Re: probe backs? was Re: [INCIDENTS] Korea Matthew Pemble (Feb 01)
- Re: probe backs? was Re: [INCIDENTS] Korea Pavel Kankovsky (Feb 02)
- DoS Trojan on Solaris Roderick Padilla (Feb 02)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 02)
- Re: DoS Trojan on Solaris David Brumley (Feb 02)
- Interesting Probe Rick Magill (Feb 03)
- Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
- Re: DoS Trojan on Solaris Data_surge (Feb 04)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)