Security Incidents mailing list archives

Re: find_ddos results

From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Wed, 15 Nov 2000 12:59:00 -0800

David;
I just now installed find_ddos, ran it, and was presented with the
following log:

Scanning running processes:

/proc/23043/exe:
 identified as: stacheldraht daemon
 with no symbol table
 with the following differences:
  missing string: Error sending syn packet.
  missing string: nohup ./%s
  missing string: rcp %s@%s:sol.bin %s
  missing string: rm -rf %s
  missing string: sicken
  missing string: ttymon
 IP address found: 3.3.3.3 (spoofed address)
 Grabbing: /proc/23043/exe
  to: /usr/local/find_ddos/files/23043

. . .

Sadly, I'm still too ignorant to know what to do about it. Should I
simply delete this or should I be doing an additional corrective
measure?


Karl,

You are the proud father of a stacheldraht DDoS agent!  I have a
throrough technical analysis of this tool, plus a write-up on the
forensic steps necessary to preserve evidence and dig out what happened
on your system.  If you can identify the handler of this network by
monitoring network traffic to/from it, you can also help shut down
an entire DDoS network!

        http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
        http://staff.washington.edu/dittrich/misc/forensics/

The most important thing to do is get a "dd" image backup of the system
before doing anything else, just to preserve what evidence is left
on the system hard drive.

P.S.  If you just delete it, you have done basically nothing.  You still
have a hole in the OS that was exploited to get in, the owner still has
dozens or hundreds more systems they can attack with, and you will lose
part of the information about a larger incident.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

Current thread:

find_ddos results Karl Malivuk (Nov 16)
- Re: find_ddos results Dave Dittrich (Nov 17)
- Re: find_ddos results Ryan Russell (Nov 17)
  - Re: find_ddos results J C Lawrence (Nov 21)
    - Re: find_ddos results Ryan Russell (Nov 22)
    - Re: find_ddos results Valdis Kletnieks (Nov 24)
    - Re: find_ddos results Jose Nazario (Nov 24)
- Re: find_ddos results Jose Nazario (Nov 17)
- Re: find_ddos results Christophe Dubois (Nov 17)
  - Re: find_ddos results Dave Dittrich (Nov 18)
- <Possible follow-ups>
- Re: find_ddos results Karl Malivuk (Nov 17)