RE: dtspcd probes toward Solaris machines

From: James C. Slora Jr. (Jim.Sloraat_private)
Date: Fri Jan 18 2002 - 05:55:30 PST

  • Next message: Lance Spitzner: "Re: dtspcd probes toward Solaris machines"

    Scott -
    
    We have had one probe that fits the description, and a couple of possibly
    related hits, starting December 8. Some of the traffic is _from_ 6112 rather
    than to it. Only one hit is both from and to 6112. We don't have any root
    kits left by the attacker(s).
    
    Our logs showed no SYN or RST packets to go along with the RST ACK's in
    December. The high destination ports did not correspond with user activity
    that was occurring at the time.
    
    Log field descriptions and the packets are below. Times are Greenwich Mean
    Time (GMT).
    
    #Fields:	date	time	source-ip	destination-ip	protocol	param#1	param#2
    tcp-flags
    
    2001-12-08	09:39:25	63.240.202.138	xx.xx.xx.170	Tcp	6112	65427	RST ACK
    Header: 45 00 00 28 e5 4e 00 00 73 06 75 45 3f f0 ca 8a xx xx xx aa
    Data: 17 e0 ff 93 00 00 00 00 80 3f 72 68 50 14 00 00 b8 78 00 00
    
    2001-12-09	19:07:12	63.240.202.138	xx.xx.xx.170	Tcp	6112	65441	RST ACK
    Header: 45 00 00 28 2d 93 00 00 73 06 2d 01 3f f0 ca 8a xx xx xx aa
    Data: 17 e0 ff a1 00 00 00 00 d0 ba f8 c9 50 14 00 00 e1 8d 00 00
    
    2001-12-31	09:36:48	209.207.216.179	xx.xx.xx.170	Tcp	6112	6112	SYN
    Header: 45 00 00 28 49 1d 00 00 79 06 6b 6e d1 cf d8 b3 xx xx xx aa
    Data: 17 e0 17 e0 24 fc 7e f8 0d 27 b8 08 50 02 e0 58 a9 60 00 00
    
    - Jim
    
    -----Original Message-----
    From: Scott Fendley [mailto:scottfat_private]
    Sent: Thursday, January 17, 2002 6:48 PM
    To: Intrusions List
    Cc: incidentsat_private
    Subject: dtspcd probes toward Solaris machines
    
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Greetings everyone.  My apologies for the cross post, but I am doing
    research presently on the dtspcd vulnerability that affects Solaris (and
    other venders) running CDE.
    
    I have now recorded a successful intrusion on a computer on my network that
    appears to be related to this vulnerability.  I also showed yesterday that
    I had a host involving a customer of Verio's that probed a handful of
    machines closer to my office hitting 6112/tcp.
    
    I was driving back from Dallas last night and hadn't finished deploying a
    new IDS machine at our border, so I missed catching any traffic details
    involving this exploit.  I went looking back through email from various
    security lists, and see that there may have been probes since early
    December to this port.  This is approximately a month after the initial
    advisory by Xforce.   So these probes in December may be some tests of a
    new tool the black hats have been developing.
    
    So I have several questions for you collectively.
    
    1) Does anyone have a snort/tcpdump trace of the exploit that I can look at
    and analyze?
    
    2) Have any of the rest of you seen scans for port 6112, and can see when
    the scans first started for your network?
    
    3) Have any of you caught a copy of the exploit software somehow that would
    be willing to let me disect?
    
    4)  Have any of you seen a DoS being generated after the computer is
    exploited?
    
    Thanks for all of your assistance, and if you would like a copy of my
    general report (obfuscation will occur) let me know.  Thanks.
    
    Scott Fendley
    
    
    
    - ---
    Scott Fendley                           scottfat_private
    Systems/Security Analyst                (501) 575-2022
    University of Arkansas                  (501) 575-4753
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBPEdixUz/L9XvbeTgEQLl+wCgjmLRgUgl2VN2jNnHYwWKzmodcFsAoJM0
    ormnD4GB7fnyzU9ROSj6S0wh
    =U9rx
    -----END PGP SIGNATURE-----
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 18 2002 - 08:44:01 PST