find_ddos results

[Karl Malivuk <kmalivuk () UNM EDU>]

Security Focus;
I am new to UNIX/Linux and just brought my first Linux box online. I am
using it as a test machine before bringing up as a production host. I just
received and installed find_ddos this morning and got the log listed below.
I sent a copy to our campus security director who suggested I contact you.
Where do I go from here?
Thanks
Karl


---------- Forwarded Message ----------
Date: Monday, November 13, 2000, 12:31 PM -0700
From: "David Grisham CIRT Security Admin." <dave () unm edu>
To: root <kmalivuk () unm edu>
Subject: Re: find_ddos

I really don't know.  The people at incidents@security focus.com can
help.  Subscribe and ask them or write to dsig () unm edu.  Cheers.-grish

On Mon, 13 Nov 2000, root wrote:

> David;
> I just now installed find_ddos, ran it, and was presented with the
> following log:
>
>
> Log started for cfatest at Mon Nov 13 11:47:49 2000
>
> Scanning running processes:
>
> /proc/23043/exe:
>  identified as: stacheldraht daemon
>  with no symbol table
>  with the following differences:
>   missing string: Error sending syn packet.
>   missing string: nohup ./%s
>   missing string: rcp %s@%s:sol.bin %s
>   missing string: rm -rf %s
>   missing string: sicken
>   missing string: ttymon
>  IP address found: 3.3.3.3 (spoofed address)
>  Grabbing: /proc/23043/exe
>   to: /usr/local/find_ddos/files/23043
>
> Scanning "/tmp":
> Scanning "/":
>
> Log finished Mon Nov 13 11:50:32 2000
>
>
>
> Sadly, I'm still too ignorant to know what to do about it. Should I
> simply delete this or should I be doing an additional corrective
> measure?
> Thanks
> Karl

Karl Malivuk
Sr LAN Administrator,
College of Fine Arts
University of New Mexico