Hey all,
We're seeing a small number of Windows 2000/IIS5 machines launching a UDP
based DDoS against several sites. The machines all seem to be receiving
brief instructions on UDP 1080 and then launching the attacks. Inspection
of the system reveals the file C:\WINNT\System32\leaf2k.exe and a registry
entry,
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BrowserSave:REG_SZ:C:\WINNT\System32\leaf2k.exe
(or, in one case, "BrowserSave:REG_SZ:leaf2k"). Running netstat, killing
the leaf2k.exe process, and rerunning netstat confirms that it is the one
opening UDP 1080. Further, killing the process also stops the DoS, so I'm
pretty sure we have found the culprit.
Neither our network flow logs, nor the IIS logs show an obvious compromise,
and we don't have sufficient Eventlog information from the compromised
machines to reliably check any other vectors of infection. It seems as if
the file creation times are on the morning of 2001.07.11. Is anyone else
seeing this sort of thing? Any ideas?
Cheers,
Dan
A boast of "I have been's," | Daniel G. Epstein
quoted from foolscap tomes, | Network Security Officer,
is a shadow brushed away | Network Security & Enterprise
by an acorn from an oak tree, | Network Systems Administration
or a salmon in a pool. | NSIT, The University of Chicago
| depsteinat_private
For PGP key see http://security.uchicago.edu/centerinfo/pgpkeys.shtml
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 11:06:02 PDT