Re: dtspcd probes toward Solaris machines

[Lance Spitzner <lance () honeynet org>]

On Thu, 17 Jan 2002, Scott Fendley wrote:

> Greetings everyone.  My apologies for the cross post, but I am doing
> research presently on the dtspcd vulnerability that affects Solaris (and
> other venders) running CDE.
>
> I have now recorded a successful intrusion on a computer on my network that
> appears to be related to this vulnerability.  I also showed yesterday that
> I had a host involving a customer of Verio's that probed a handful of
> machines closer to my office hitting 6112/tcp.

The Honeynet Project has released the network capture of the
dtspcd attack.  This is the same information that was sent to
CERT for their analysis, and is the same data that was used
to develop the advisory.  It is hoped that this information can
help organizations better identify these attacks.  We do not
have the actual exploit tool used in the attack.

> 1) Does anyone have a snort/tcpdump trace of the exploit that I can look at
> and analyze?

You can find the attack capture at the Honeynet Project site:

   http://project.honeynet.org/scans/dtspcd/dtspcd.txt


> 4)  Have any of you seen a DoS being generated after the computer is exploited?

Yes, the attacker returned six days later and attempted to use the
honeypot as a DoS base.  He used the tool 'juno', a SYN flooder that
creates spoofed loopback packets.

Hope this helps!

lance



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com