Security Incidents mailing list archives
Re: find_ddos results
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Wed, 15 Nov 2000 12:59:00 -0800
David; I just now installed find_ddos, ran it, and was presented with the following log: Scanning running processes: /proc/23043/exe: identified as: stacheldraht daemon with no symbol table with the following differences: missing string: Error sending syn packet. missing string: nohup ./%s missing string: rcp %s@%s:sol.bin %s missing string: rm -rf %s missing string: sicken missing string: ttymon IP address found: 3.3.3.3 (spoofed address) Grabbing: /proc/23043/exe to: /usr/local/find_ddos/files/23043. . .Sadly, I'm still too ignorant to know what to do about it. Should I simply delete this or should I be doing an additional corrective measure?
Karl, You are the proud father of a stacheldraht DDoS agent! I have a throrough technical analysis of this tool, plus a write-up on the forensic steps necessary to preserve evidence and dig out what happened on your system. If you can identify the handler of this network by monitoring network traffic to/from it, you can also help shut down an entire DDoS network! http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt http://staff.washington.edu/dittrich/misc/forensics/ The most important thing to do is get a "dd" image backup of the system before doing anything else, just to preserve what evidence is left on the system hard drive. P.S. If you just delete it, you have done basically nothing. You still have a hole in the OS that was exploited to get in, the owner still has dozens or hundreds more systems they can attack with, and you will lose part of the information about a larger incident. -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- find_ddos results Karl Malivuk (Nov 16)
- Re: find_ddos results Dave Dittrich (Nov 17)
- Re: find_ddos results Ryan Russell (Nov 17)
- Re: find_ddos results J C Lawrence (Nov 21)
- Re: find_ddos results Ryan Russell (Nov 22)
- Re: find_ddos results Valdis Kletnieks (Nov 24)
- Re: find_ddos results Jose Nazario (Nov 24)
- Re: find_ddos results J C Lawrence (Nov 21)
- Re: find_ddos results Jose Nazario (Nov 17)
- Re: find_ddos results Christophe Dubois (Nov 17)
- Re: find_ddos results Dave Dittrich (Nov 18)
- <Possible follow-ups>
- Re: find_ddos results Karl Malivuk (Nov 17)