>One thing I am desperately curious about...the four IP addresses listed >in the anonymously-provided information. I'm wondering if it's the same >four or if someone has a distributed network in place for the purpose of >building other distributed networks. Also, how closely-tied are the four >events in terms of time... The answer I recieved was: The master servers/handlers were not part of the system compromise or carko installation. Each attack segment was conducted by a different IP and domain, from different geographical areas, with no apparent relation. >Also, how closely-tied are the four events in terms of time... These 4 events happened within a 20 hour period. Time X: scan for port 111 from host A. Multiple scans of same networks from multiple IP's in the same 1-hour period, but RPC scanning is relatively common, so it might be unrelated to carko. Looks like noisy and fast SYN scan. X + 4.5 hours: access of portmapper from host B. Host B accesses portmapper several times, presumably to determine running RPC services. Traffic only to target hosts. Subsequent DNS reverse lookups. No other apparent traffic to other hosts or services. Portmapper access occurred about 10 minutes before exploit. X + 4.6 hours: snmpXdmid exploit, back door access from host C. 10 minutes later, host C exploits vulnerability after single RPC access (to get port number?) Subsequent access to 32xxx port, typical RPC location. Subsequently accesses port 530 within seconds. snmpXdmid on victim later found running on a different port than the one that was accessed by host C, and host C's port is gone - indication of initial crash from exploit followed by restart? X + 7.5 hours: back door logins from host D, rcp of td/carko binary from victim to host E, start of carko process - but quiet. Confirmation of carko start time based on running process info. X + 18.5 hours: DDoS command sent to victim/agent, source unknown but assumed to be master Intrusion rather noticeable at this time. VP Engineering SecurityFocus.com "Vae Victis"
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:21:40 PDT