Re: dtspcd probes toward Solaris machines

["Nathan W. Labadie" <ab0781 () wayne edu>]

We recently had the same situation. Three machines across campus were 
compromised with the dtspcd exploit, and the attacker later used the 
machines to launch a DoS that completely filled up our pipe.

The IDS (snort) detected the intrusion as "SHELLCODE sparc NOOP" 
destined for port 6112. It looked something like this (wrapped):

01/16-20:31:19.725157  [**] [1:645:2] SHELLCODE sparc NOOP [**] 
[Classification: Executable code was detected] [Priority: 1] {TCP} 
202.214.78.93:3787 -> x.x.x.x:6112

The actual contents of the exploit itself are identical to the one 
listed at http://project.honeynet.org/scans/dtspcd/dtspcd.txt.

On Friday 18 January 2002 11:55 am, Lance Spitzner wrote:
> On Thu, 17 Jan 2002, Scott Fendley wrote:
> > Greetings everyone.  My apologies for the cross post, but I am
> > doing research presently on the dtspcd vulnerability that affects
> > Solaris (and other venders) running CDE.
> >
> > I have now recorded a successful intrusion on a computer on my
> > network that appears to be related to this vulnerability.  I also
> > showed yesterday that I had a host involving a customer of Verio's
> > that probed a handful of machines closer to my office hitting
> > 6112/tcp.
>
> The Honeynet Project has released the network capture of the
> dtspcd attack.  This is the same information that was sent to
> CERT for their analysis, and is the same data that was used
> to develop the advisory.  It is hoped that this information can
> help organizations better identify these attacks.  We do not
> have the actual exploit tool used in the attack.
>
> > 1) Does anyone have a snort/tcpdump trace of the exploit that I can
> > look at and analyze?
>
> You can find the attack capture at the Honeynet Project site:
>
>    http://project.honeynet.org/scans/dtspcd/dtspcd.txt
>
> > 4)  Have any of you seen a DoS being generated after the computer
> > is exploited?
>
> Yes, the attacker returned six days later and attempted to use the
> honeypot as a DoS base.  He used the tool 'juno', a SYN flooder that
> creates spoofed loopback packets.
>
> Hope this helps!
>
> lance
>
>
>
> ---------------------------------------------------------------------
> ------- This list is provided by the SecurityFocus ARIS analyzer
> service. For more information on this free incident handling,
> management and tracking system please see:
> http://aris.securityfocus.com

-- 
Nathan W. Labadie       | ab0781 () wayne edu   
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com