Security Incidents mailing list archives
Re: dtspcd probes toward Solaris machines
From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Fri, 18 Jan 2002 13:10:36 -0500
We recently had the same situation. Three machines across campus were compromised with the dtspcd exploit, and the attacker later used the machines to launch a DoS that completely filled up our pipe. The IDS (snort) detected the intrusion as "SHELLCODE sparc NOOP" destined for port 6112. It looked something like this (wrapped): 01/16-20:31:19.725157 [**] [1:645:2] SHELLCODE sparc NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 202.214.78.93:3787 -> x.x.x.x:6112 The actual contents of the exploit itself are identical to the one listed at http://project.honeynet.org/scans/dtspcd/dtspcd.txt. On Friday 18 January 2002 11:55 am, Lance Spitzner wrote:
On Thu, 17 Jan 2002, Scott Fendley wrote:Greetings everyone. My apologies for the cross post, but I am doing research presently on the dtspcd vulnerability that affects Solaris (and other venders) running CDE. I have now recorded a successful intrusion on a computer on my network that appears to be related to this vulnerability. I also showed yesterday that I had a host involving a customer of Verio's that probed a handful of machines closer to my office hitting 6112/tcp.The Honeynet Project has released the network capture of the dtspcd attack. This is the same information that was sent to CERT for their analysis, and is the same data that was used to develop the advisory. It is hoped that this information can help organizations better identify these attacks. We do not have the actual exploit tool used in the attack.1) Does anyone have a snort/tcpdump trace of the exploit that I can look at and analyze?You can find the attack capture at the Honeynet Project site: http://project.honeynet.org/scans/dtspcd/dtspcd.txt4) Have any of you seen a DoS being generated after the computer is exploited?Yes, the attacker returned six days later and attempted to use the honeypot as a DoS base. He used the tool 'juno', a SYN flooder that creates spoofed loopback packets. Hope this helps! lance --------------------------------------------------------------------- ------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Nathan W. Labadie | ab0781 () wayne edu Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.1338 fax C&IT Information Security Office: http://security.wayne.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- dtspcd probes toward Solaris machines Scott Fendley (Jan 17)
- RE: dtspcd probes toward Solaris machines James C. Slora Jr. (Jan 18)
- Re: dtspcd probes toward Solaris machines Skip Carter (Jan 18)
- Re: dtspcd probes toward Solaris machines Lance Spitzner (Jan 18)
- Re: dtspcd probes toward Solaris machines Nathan W. Labadie (Jan 18)
- RE: dtspcd probes toward Solaris machines James C. Slora Jr. (Jan 18)