Hi Michi Being also located in Switzerland, I just wanted to let you know that we did not have any problems with a DDoS; But we did also have a problem with a Suse 6.2 Linux-Box which was also owned through the SSH hole. The system was scaned around 15:40 (Dec 18, CET) and attacked and entered around 22:10. The attacker left quite a few files (and log entries :-)) and two e-mails which didn't make it out our gateway (to lostlov3at_private and tcplogat_private). He made a directory /mc apparently with a rootkit in a file "lamerk.tar.gz". Its install-script shows that it replaced a few commands and installed a http-backdoor (alya.cgi). Separatly in /etc/claudiu/scanssh the tool "scanssh" was installed. Around 03:30 (Dec 19, CET) the system recieved a couple large ICMP Packets and started the scanssh on a big block of systems. --- I pulled together the logs along with most of the files (scanssh was erased by a trigger-happy admin :-)), if anyone is interested. I've filed a complaint with the ISPs mentioned in the logs, is there anything else I need to do (besides clean/replace the system)? Is there some place I could get more information about the kits involved here? Thanks John Mueller ======================================================= SOFTplus Entwicklungen GmbH - Software fuer Therapien Laettichstrasse 8 / CH-6340 Baar / Switzerland Tel. 041/763 32 32 Fax: 041/763 30 90 www.softplus.net ======================================================= > -----Original Message----- > From: michiat_private [mailto:michiat_private] > Sent: Thursday, December 20, 2001 6:12 PM > To: incidentsat_private > Subject: DDoS Attacks to several Networks (Switzerland) > > > Hello there, > > Thuesday we've had a DDoS coming from 500 different sources. It was a > "tcp-packet-flood" to unpriviledged ports. The DDoS take our network down > for 2 hours. I called our ISP to block some IP's which has been spammed > with these packets. There wasn't any sheme in the source IP's, looked like > they were spoofed, 500 different hosts are a lot. At the same time two > networks of friends (all in Switzerland) were DDoSed also, with > same sheme. > One friend reported that at the same time one box which was running an old > version of ssh was owned, or probably owned by the same guy who did the > DDoS. > I think the "attacker" has found the ip's to attack on IRC. The attacks > started from 2pm until 5pm (CET). > > Greetings > > Michi > ------------------------------------------------- > DIGICOMP AG > Michi Zaugg > Network & Security > Limmatstr. 50 > 8005 Zuerich > > mailto: michiat_private > mob: +41 (0) 79 245 75 34 > tel: +41 (0) 1 447 21 46 > fax: +41 (0) 1 447 21 51 > ------------------------------------------------- > - we're the dot in .digicomp > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 08:24:31 PST