Security Incidents mailing list archives
Re: find_ddos results
From: Karl Malivuk <kmalivuk () UNM EDU>
Date: Wed, 15 Nov 2000 14:42:44 -0700
Matt, and all the other wonderful folks who took the time to respond; I thank you deeply and have already arranged to hire a consultant to take the box down, clean it and bring it up as a safer host. I am the first to admit I have a lot to learn and hope to someday return the favor(s) to others. Karl --On Wednesday, November 15, 2000, 4:32 PM -0500 Matt Stockdale <mstockda () dti net> wrote:
If someone actually has gotten a ddos tool onto your box, it's likely there was a root compromise.. do a little more investigation, but before you stick this machine on the network as a production host you'll want to reformat and re-install, taking care to be secure.. Remember to disable all unneded services and apply all updated from your linux distribution vendor. Matt On Wed, Nov 15, 2000 at 08:45:27AM -0700, Karl Malivuk wrote:Security Focus; I am new to UNIX/Linux and just brought my first Linux box online. I am using it as a test machine before bringing up as a production host. I just received and installed find_ddos this morning and got the log listed below. I sent a copy to our campus security director who suggested I contact you. Where do I go from here? Thanks Karl ---------- Forwarded Message ---------- Date: Monday, November 13, 2000, 12:31 PM -0700 From: "David Grisham CIRT Security Admin." <dave () unm edu> To: root <kmalivuk () unm edu> Subject: Re: find_ddos I really don't know. The people at incidents@security focus.com can help. Subscribe and ask them or write to dsig () unm edu. Cheers.-grish On Mon, 13 Nov 2000, root wrote:David; I just now installed find_ddos, ran it, and was presented with the following log: Log started for cfatest at Mon Nov 13 11:47:49 2000 Scanning running processes: /proc/23043/exe: identified as: stacheldraht daemon with no symbol table with the following differences: missing string: Error sending syn packet. missing string: nohup ./%s missing string: rcp %s@%s:sol.bin %s missing string: rm -rf %s missing string: sicken missing string: ttymon IP address found: 3.3.3.3 (spoofed address) Grabbing: /proc/23043/exe to: /usr/local/find_ddos/files/23043 Scanning "/tmp": Scanning "/": Log finished Mon Nov 13 11:50:32 2000 Sadly, I'm still too ignorant to know what to do about it. Should I simply delete this or should I be doing an additional corrective measure? Thanks KarlKarl Malivuk Sr LAN Administrator, College of Fine Arts University of New Mexico
Karl Malivuk Sr LAN Administrator, College of Fine Arts University of New Mexico
Current thread:
- find_ddos results Karl Malivuk (Nov 16)
- Re: find_ddos results Dave Dittrich (Nov 17)
- Re: find_ddos results Ryan Russell (Nov 17)
- Re: find_ddos results J C Lawrence (Nov 21)
- Re: find_ddos results Ryan Russell (Nov 22)
- Re: find_ddos results Valdis Kletnieks (Nov 24)
- Re: find_ddos results Jose Nazario (Nov 24)
- Re: find_ddos results J C Lawrence (Nov 21)
- Re: find_ddos results Jose Nazario (Nov 17)
- Re: find_ddos results Christophe Dubois (Nov 17)
- Re: find_ddos results Dave Dittrich (Nov 18)
- <Possible follow-ups>
- Re: find_ddos results Karl Malivuk (Nov 17)