dtspcd probes toward Solaris machines

From: Scott Fendley (scottfat_private)
Date: Thu Jan 17 2002 - 15:48:21 PST

Next message: measlat_private: "Re: Unusual DNS requests (not related to previous DNS thread)"

Previous message: Mike Healy: "RE: Comcast.net abuse contact?"
Next in thread: James C. Slora Jr.: "RE: dtspcd probes toward Solaris machines"
Reply: James C. Slora Jr.: "RE: dtspcd probes toward Solaris machines"
Reply: Lance Spitzner: "Re: dtspcd probes toward Solaris machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings everyone.  My apologies for the cross post, but I am doing 
research presently on the dtspcd vulnerability that affects Solaris (and 
other venders) running CDE.

I have now recorded a successful intrusion on a computer on my network that 
appears to be related to this vulnerability.  I also showed yesterday that 
I had a host involving a customer of Verio's that probed a handful of 
machines closer to my office hitting 6112/tcp.

I was driving back from Dallas last night and hadn't finished deploying a 
new IDS machine at our border, so I missed catching any traffic details 
involving this exploit.  I went looking back through email from various 
security lists, and see that there may have been probes since early 
December to this port.  This is approximately a month after the initial 
advisory by Xforce.   So these probes in December may be some tests of a 
new tool the black hats have been developing.

So I have several questions for you collectively.

1) Does anyone have a snort/tcpdump trace of the exploit that I can look at 
and analyze?

2) Have any of the rest of you seen scans for port 6112, and can see when 
the scans first started for your network?

3) Have any of you caught a copy of the exploit software somehow that would 
be willing to let me disect?

4)  Have any of you seen a DoS being generated after the computer is exploited?

Thanks for all of your assistance, and if you would like a copy of my 
general report (obfuscation will occur) let me know.  Thanks.

Scott Fendley



- ---
Scott Fendley                           scottfat_private
Systems/Security Analyst                (501) 575-2022
University of Arkansas                  (501) 575-4753


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPEdixUz/L9XvbeTgEQLl+wCgjmLRgUgl2VN2jNnHYwWKzmodcFsAoJM0
ormnD4GB7fnyzU9ROSj6S0wh
=U9rx
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: measlat_private: "Re: Unusual DNS requests (not related to previous DNS thread)"
Previous message: Mike Healy: "RE: Comcast.net abuse contact?"
Next in thread: James C. Slora Jr.: "RE: dtspcd probes toward Solaris machines"
Reply: James C. Slora Jr.: "RE: dtspcd probes toward Solaris machines"
Reply: Lance Spitzner: "Re: dtspcd probes toward Solaris machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 19:45:23 PST