Re: find_ddos results

[Karl Malivuk <kmalivuk () UNM EDU>]

Matt, and all the other wonderful folks who took the time to respond;
I thank you deeply and have already arranged to hire a consultant to take
the box down, clean it and bring it up as a safer host. I am the first to
admit I have a lot to learn and hope to someday return the favor(s) to
others.
Karl


--On Wednesday, November 15, 2000, 4:32 PM -0500 Matt Stockdale
<mstockda () dti net> wrote:

> If someone actually has gotten a ddos tool onto your box, it's likely
> there was a root compromise.. do a little more investigation, but before
> you stick this machine on the network as a production host you'll want to
> reformat and re-install, taking care to be secure.. Remember to disable
> all unneded services and apply all updated from your linux distribution
> vendor.
>
> Matt
>
> On Wed, Nov 15, 2000 at 08:45:27AM -0700, Karl Malivuk wrote:
> > Security Focus;
> > I am new to UNIX/Linux and just brought my first Linux box online. I am
> > using it as a test machine before bringing up as a production host. I
> > just received and installed find_ddos this morning and got the log
> > listed below. I sent a copy to our campus security director who
> > suggested I contact you. Where do I go from here?
> > Thanks
> > Karl
> >
> >
> > ---------- Forwarded Message ----------
> > Date: Monday, November 13, 2000, 12:31 PM -0700
> > From: "David Grisham CIRT Security Admin." <dave () unm edu>
> > To: root <kmalivuk () unm edu>
> > Subject: Re: find_ddos
> >
> > I really don't know.  The people at incidents@security focus.com can
> > help.  Subscribe and ask them or write to dsig () unm edu.  Cheers.-grish
> >
> > On Mon, 13 Nov 2000, root wrote:
> >
> > > David;
> > > I just now installed find_ddos, ran it, and was presented with the
> > > following log:
> > >
> > >
> > > Log started for cfatest at Mon Nov 13 11:47:49 2000
> > >
> > > Scanning running processes:
> > >
> > > /proc/23043/exe:
> > >  identified as: stacheldraht daemon
> > >  with no symbol table
> > >  with the following differences:
> > >   missing string: Error sending syn packet.
> > >   missing string: nohup ./%s
> > >   missing string: rcp %s@%s:sol.bin %s
> > >   missing string: rm -rf %s
> > >   missing string: sicken
> > >   missing string: ttymon
> > >  IP address found: 3.3.3.3 (spoofed address)
> > >  Grabbing: /proc/23043/exe
> > >   to: /usr/local/find_ddos/files/23043
> > >
> > > Scanning "/tmp":
> > > Scanning "/":
> > >
> > > Log finished Mon Nov 13 11:50:32 2000
> > >
> > >
> > >
> > > Sadly, I'm still too ignorant to know what to do about it. Should I
> > > simply delete this or should I be doing an additional corrective
> > > measure?
> > > Thanks
> > > Karl
> >
> > Karl Malivuk
> > Sr LAN Administrator,
> > College of Fine Arts
> > University of New Mexico



Karl Malivuk
Sr LAN Administrator,
College of Fine Arts
University of New Mexico