Re: Cark & snmpXdmid

From: Alfred Huger (ahat_private)
Date: Thu Apr 19 2001 - 07:18:15 PDT

  • Next message: Alfred Huger: "Increase in RPC Port scans (portmap probes)"

    >One thing I am desperately curious about...the four IP addresses listed
    >in the anonymously-provided information.  I'm wondering if it's the same
    >four or if someone has a distributed network in place for the purpose of
    >building other distributed networks.  Also, how closely-tied are the four
    >events in terms of time...
    
    
    The answer I recieved was:
    
    The master servers/handlers were not part of the system compromise or
    carko installation.
    
    Each attack segment was conducted by a different IP and domain, from
    different geographical areas, with no apparent relation.
    
    >Also, how closely-tied are the four events in terms of time...
    
    These 4 events happened within a 20 hour period.
    
    
    Time X: scan for port 111 from host A.
    
    Multiple scans of same networks from multiple IP's in the same 1-hour
    period, but RPC scanning is relatively common, so it might be
    unrelated to carko.  Looks like noisy and fast SYN scan.
    
    
    X + 4.5 hours: access of portmapper from host B.
    
    Host B accesses portmapper several times, presumably to determine
    running RPC services.  Traffic only to target hosts.  Subsequent DNS
    reverse lookups.  No other apparent traffic to other hosts or
    services.
    
    Portmapper access occurred about 10 minutes before exploit.
    
    
    X + 4.6 hours: snmpXdmid exploit, back door access from host C.
    
    10 minutes later, host C exploits vulnerability after single RPC
    access (to get port number?)  Subsequent access to 32xxx port, typical
    RPC location.  Subsequently accesses port 530 within seconds.
    snmpXdmid on victim later found running on a different port than the
    one that was accessed by host C, and host C's port is gone -
    indication of initial crash from exploit followed by restart?
    
    
    X + 7.5 hours: back door logins from host D, rcp of td/carko binary
    from victim to host E, start of carko process - but quiet.
    
    Confirmation of carko start time based on running process info.
    
    
    X + 18.5 hours: DDoS command sent to victim/agent, source unknown but
    assumed to be master
    
    Intrusion rather noticeable at this time.
    
    
    
    
    VP Engineering
    SecurityFocus.com
    "Vae Victis"
    



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:21:40 PDT