Re: Cark & snmpXdmid

From: Alfred Huger (ahat_private)
Date: Thu Apr 19 2001 - 07:18:15 PDT

Next message: Alfred Huger: "Increase in RPC Port scans (portmap probes)"

Previous message: Jeff Kell: "Strange sendmail IDS triggers"
Maybe in reply to: Alfred Huger: "Cark & snmpXdmid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>One thing I am desperately curious about...the four IP addresses listed
>in the anonymously-provided information.  I'm wondering if it's the same
>four or if someone has a distributed network in place for the purpose of
>building other distributed networks.  Also, how closely-tied are the four
>events in terms of time...


The answer I recieved was:

The master servers/handlers were not part of the system compromise or
carko installation.

Each attack segment was conducted by a different IP and domain, from
different geographical areas, with no apparent relation.

>Also, how closely-tied are the four events in terms of time...

These 4 events happened within a 20 hour period.


Time X: scan for port 111 from host A.

Multiple scans of same networks from multiple IP's in the same 1-hour
period, but RPC scanning is relatively common, so it might be
unrelated to carko.  Looks like noisy and fast SYN scan.


X + 4.5 hours: access of portmapper from host B.

Host B accesses portmapper several times, presumably to determine
running RPC services.  Traffic only to target hosts.  Subsequent DNS
reverse lookups.  No other apparent traffic to other hosts or
services.

Portmapper access occurred about 10 minutes before exploit.


X + 4.6 hours: snmpXdmid exploit, back door access from host C.

10 minutes later, host C exploits vulnerability after single RPC
access (to get port number?)  Subsequent access to 32xxx port, typical
RPC location.  Subsequently accesses port 530 within seconds.
snmpXdmid on victim later found running on a different port than the
one that was accessed by host C, and host C's port is gone -
indication of initial crash from exploit followed by restart?


X + 7.5 hours: back door logins from host D, rcp of td/carko binary
from victim to host E, start of carko process - but quiet.

Confirmation of carko start time based on running process info.


X + 18.5 hours: DDoS command sent to victim/agent, source unknown but
assumed to be master

Intrusion rather noticeable at this time.




VP Engineering
SecurityFocus.com
"Vae Victis"

Next message: Alfred Huger: "Increase in RPC Port scans (portmap probes)"
Previous message: Jeff Kell: "Strange sendmail IDS triggers"
Maybe in reply to: Alfred Huger: "Cark & snmpXdmid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:21:40 PDT