Re: find_ddos results

[Dave Dittrich <dittrich () CAC WASHINGTON EDU>]

Chris,

> The Stacheldraht daemon (leaf) appears not to be configured to work
> (because the Stacheldraht master IP is 3.3.3.3).

I'm sorry, but that is *not* the Stacheldraht master IP.  That is used
to tell if source address forgery is being prevented by egress
filtering.  See:

        http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt

> Well, we have seen a lot of such daemons on compromised boxes which
> were not configured too. Each time, it appeared to be part of the
> t0rnkit.

Just because t0rnkit includes stacheldraht doesn't mean that *any time*
you find a stacheldraht agent that t0rnkit is also in place.  Probable,
yes, but not 100%.  I regularly find stacheldraht installed by itself,
sometimes without even having a rootkit of any kind in place.  (The
t0rnkit is just really popular right now.)

> The default installation path of the t0rnkit is
> /usr/src/.puta. Perhaps you should have a look there. However, you
> can find the t0rnkit path with the 'strings' command. Simply try:
> strings /bin/netstat | more
> then read the line below 'Fred Baumgarten'. You will find the config
> file for the t0rnkit netstat (and should find plenty of other files
> there).

That is a good check for *defaults*, but clever attackers will change
defaults to trick the admin (and they usually succeed).  I've already
seen at least one that doesn't include the .puta directory.  Remember -
more skilled attackers change their tactics as defenders change catch
on.

> I expect at least a trojaned sshd listening on a high port, and may be
> a 'leeto's socket daemon' listening on port 510/tcp or 511/tcp (it is
> a file usually named /usr/sbin/in.inetd).

Again, that is common, but not always there.  I would agree, but
randomly looking for the signature of a number of individuals/groups is
not a very efficient way to do a search, and if there is no backup made,
you will tromp all over the file system and the intruder will likely see
you looking for them before you see them.  Its better to run "nmap" from
outside to see what is listening, then use "netstat" and "lsof" from
inside to see if things match.  Freeze the scene and get an image backup
(to analyze a copy, not the original) as soon as possible after you have
confirmation that the system has been compromised, then use tools like
The Coroner's Toolkit to quickly identify what is on the box.  See:

        http://staff.washington.edu/dittrich/misc/forensics/
        http://staff.washington.edu/dittrich/misc/faq/rootkits.faq

Remember.  If you just give up and re-format/re-install, several things
are guaranteed:

1).  You don't know how they got in, so if you put the system back on
line the same way, you WILL be broken into again.

2).  If you just take out one DDoS agent in a network of 100 systems,
you've done NOTHING to prevent that network from being used to DoS
the hell out of someone else (that someone else could very easily
be YOU at some point, so apply the Golden Rule.)

3).  If you don't preserve a copy of the disc, you can't go back
and dig much useful information out later on, e.g., when law enforcement
finds out that your system was involved in a big attack and they want
to investigate.

The more people who don't just these things slip through the cracks,
the more secure we'll all be in the e-future.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5