We recently had the same situation. Three machines across campus were compromised with the dtspcd exploit, and the attacker later used the machines to launch a DoS that completely filled up our pipe. The IDS (snort) detected the intrusion as "SHELLCODE sparc NOOP" destined for port 6112. It looked something like this (wrapped): 01/16-20:31:19.725157 [**] [1:645:2] SHELLCODE sparc NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 202.214.78.93:3787 -> x.x.x.x:6112 The actual contents of the exploit itself are identical to the one listed at http://project.honeynet.org/scans/dtspcd/dtspcd.txt. On Friday 18 January 2002 11:55 am, Lance Spitzner wrote: > On Thu, 17 Jan 2002, Scott Fendley wrote: > > Greetings everyone. My apologies for the cross post, but I am > > doing research presently on the dtspcd vulnerability that affects > > Solaris (and other venders) running CDE. > > > > I have now recorded a successful intrusion on a computer on my > > network that appears to be related to this vulnerability. I also > > showed yesterday that I had a host involving a customer of Verio's > > that probed a handful of machines closer to my office hitting > > 6112/tcp. > > The Honeynet Project has released the network capture of the > dtspcd attack. This is the same information that was sent to > CERT for their analysis, and is the same data that was used > to develop the advisory. It is hoped that this information can > help organizations better identify these attacks. We do not > have the actual exploit tool used in the attack. > > > 1) Does anyone have a snort/tcpdump trace of the exploit that I can > > look at and analyze? > > You can find the attack capture at the Honeynet Project site: > > http://project.honeynet.org/scans/dtspcd/dtspcd.txt > > > 4) Have any of you seen a DoS being generated after the computer > > is exploited? > > Yes, the attacker returned six days later and attempted to use the > honeypot as a DoS base. He used the tool 'juno', a SYN flooder that > creates spoofed loopback packets. > > Hope this helps! > > lance > > > > --------------------------------------------------------------------- >------- This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management and tracking system please see: > http://aris.securityfocus.com -- Nathan W. Labadie | ab0781at_private Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.1338 fax C&IT Information Security Office: http://security.wayne.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 18 2002 - 10:23:16 PST