On Thu, 17 Jan 2002, Scott Fendley wrote: > Greetings everyone. My apologies for the cross post, but I am doing > research presently on the dtspcd vulnerability that affects Solaris (and > other venders) running CDE. > > I have now recorded a successful intrusion on a computer on my network that > appears to be related to this vulnerability. I also showed yesterday that > I had a host involving a customer of Verio's that probed a handful of > machines closer to my office hitting 6112/tcp. The Honeynet Project has released the network capture of the dtspcd attack. This is the same information that was sent to CERT for their analysis, and is the same data that was used to develop the advisory. It is hoped that this information can help organizations better identify these attacks. We do not have the actual exploit tool used in the attack. > 1) Does anyone have a snort/tcpdump trace of the exploit that I can look at > and analyze? You can find the attack capture at the Honeynet Project site: http://project.honeynet.org/scans/dtspcd/dtspcd.txt > 4) Have any of you seen a DoS being generated after the computer is exploited? Yes, the attacker returned six days later and attempted to use the honeypot as a DoS base. He used the tool 'juno', a SYN flooder that creates spoofed loopback packets. Hope this helps! lance ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 18 2002 - 09:24:24 PST