On 13 Nov 2001, Mike Grantham wrote: > Conclusion: > While I have not had time to disassemble these > binaries or test to see what they do > I suspect someone is setting up a DDos network, I > also suspect that a script has done this > due to the file times being all within the same minute. aside from the carko binary you found, do you have any other evidence that its a DDoS ring? is this a terminal node or a staging node? you found only binaries, so it was probably a terminal node. however if someone has a rootkit that sends carko along (or someone stole some tools and carko was one of 'em) then thats a possibly invalid conclusion. > If anyone would like to have a look at these files > please email me and I will send them to you. i am interested, specifically in a dd of the drive. we'll chat more offline if you want to pursue this. bear in mind your site policies may prevent you from sharing data with outsiders, so check as appropriate. good luck, and thanks for the heads up. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 16:16:31 PST