Security Incidents mailing list archives
Re: find_ddos results
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Thu, 16 Nov 2000 11:38:50 -0800
Chris,
The Stacheldraht daemon (leaf) appears not to be configured to work (because the Stacheldraht master IP is 3.3.3.3).
I'm sorry, but that is *not* the Stacheldraht master IP. That is used to tell if source address forgery is being prevented by egress filtering. See: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
Well, we have seen a lot of such daemons on compromised boxes which were not configured too. Each time, it appeared to be part of the t0rnkit.
Just because t0rnkit includes stacheldraht doesn't mean that *any time* you find a stacheldraht agent that t0rnkit is also in place. Probable, yes, but not 100%. I regularly find stacheldraht installed by itself, sometimes without even having a rootkit of any kind in place. (The t0rnkit is just really popular right now.)
The default installation path of the t0rnkit is /usr/src/.puta. Perhaps you should have a look there. However, you can find the t0rnkit path with the 'strings' command. Simply try: strings /bin/netstat | more then read the line below 'Fred Baumgarten'. You will find the config file for the t0rnkit netstat (and should find plenty of other files there).
That is a good check for *defaults*, but clever attackers will change defaults to trick the admin (and they usually succeed). I've already seen at least one that doesn't include the .puta directory. Remember - more skilled attackers change their tactics as defenders change catch on.
I expect at least a trojaned sshd listening on a high port, and may be a 'leeto's socket daemon' listening on port 510/tcp or 511/tcp (it is a file usually named /usr/sbin/in.inetd).
Again, that is common, but not always there. I would agree, but randomly looking for the signature of a number of individuals/groups is not a very efficient way to do a search, and if there is no backup made, you will tromp all over the file system and the intruder will likely see you looking for them before you see them. Its better to run "nmap" from outside to see what is listening, then use "netstat" and "lsof" from inside to see if things match. Freeze the scene and get an image backup (to analyze a copy, not the original) as soon as possible after you have confirmation that the system has been compromised, then use tools like The Coroner's Toolkit to quickly identify what is on the box. See: http://staff.washington.edu/dittrich/misc/forensics/ http://staff.washington.edu/dittrich/misc/faq/rootkits.faq Remember. If you just give up and re-format/re-install, several things are guaranteed: 1). You don't know how they got in, so if you put the system back on line the same way, you WILL be broken into again. 2). If you just take out one DDoS agent in a network of 100 systems, you've done NOTHING to prevent that network from being used to DoS the hell out of someone else (that someone else could very easily be YOU at some point, so apply the Golden Rule.) 3). If you don't preserve a copy of the disc, you can't go back and dig much useful information out later on, e.g., when law enforcement finds out that your system was involved in a big attack and they want to investigate. The more people who don't just these things slip through the cracks, the more secure we'll all be in the e-future. -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- find_ddos results Karl Malivuk (Nov 16)
- Re: find_ddos results Dave Dittrich (Nov 17)
- Re: find_ddos results Ryan Russell (Nov 17)
- Re: find_ddos results J C Lawrence (Nov 21)
- Re: find_ddos results Ryan Russell (Nov 22)
- Re: find_ddos results Valdis Kletnieks (Nov 24)
- Re: find_ddos results Jose Nazario (Nov 24)
- Re: find_ddos results J C Lawrence (Nov 21)
- Re: find_ddos results Jose Nazario (Nov 17)
- Re: find_ddos results Christophe Dubois (Nov 17)
- Re: find_ddos results Dave Dittrich (Nov 18)
- <Possible follow-ups>
- Re: find_ddos results Karl Malivuk (Nov 17)