Re: dtspcd probes toward Solaris machines

From: Nathan W. Labadie (ab0781at_private)
Date: Fri Jan 18 2002 - 10:10:36 PST

  • Next message: Kevin.Reardonat_private: "Re: Trojans that use LDAP"

    We recently had the same situation. Three machines across campus were 
    compromised with the dtspcd exploit, and the attacker later used the 
    machines to launch a DoS that completely filled up our pipe.
    
    The IDS (snort) detected the intrusion as "SHELLCODE sparc NOOP" 
    destined for port 6112. It looked something like this (wrapped):
    
    01/16-20:31:19.725157  [**] [1:645:2] SHELLCODE sparc NOOP [**] 
    [Classification: Executable code was detected] [Priority: 1] {TCP} 
    202.214.78.93:3787 -> x.x.x.x:6112
    
    The actual contents of the exploit itself are identical to the one 
    listed at http://project.honeynet.org/scans/dtspcd/dtspcd.txt.
    
    On Friday 18 January 2002 11:55 am, Lance Spitzner wrote:
    > On Thu, 17 Jan 2002, Scott Fendley wrote:
    > > Greetings everyone.  My apologies for the cross post, but I am
    > > doing research presently on the dtspcd vulnerability that affects
    > > Solaris (and other venders) running CDE.
    > >
    > > I have now recorded a successful intrusion on a computer on my
    > > network that appears to be related to this vulnerability.  I also
    > > showed yesterday that I had a host involving a customer of Verio's
    > > that probed a handful of machines closer to my office hitting
    > > 6112/tcp.
    >
    > The Honeynet Project has released the network capture of the
    > dtspcd attack.  This is the same information that was sent to
    > CERT for their analysis, and is the same data that was used
    > to develop the advisory.  It is hoped that this information can
    > help organizations better identify these attacks.  We do not
    > have the actual exploit tool used in the attack.
    >
    > > 1) Does anyone have a snort/tcpdump trace of the exploit that I can
    > > look at and analyze?
    >
    > You can find the attack capture at the Honeynet Project site:
    >
    >    http://project.honeynet.org/scans/dtspcd/dtspcd.txt
    >
    > > 4)  Have any of you seen a DoS being generated after the computer
    > > is exploited?
    >
    > Yes, the attacker returned six days later and attempted to use the
    > honeypot as a DoS base.  He used the tool 'juno', a SYN flooder that
    > creates spoofed loopback packets.
    >
    > Hope this helps!
    >
    > lance
    >
    >
    >
    > ---------------------------------------------------------------------
    >------- This list is provided by the SecurityFocus ARIS analyzer
    > service. For more information on this free incident handling,
    > management and tracking system please see:
    > http://aris.securityfocus.com
    
    -- 
    Nathan W. Labadie       | ab0781at_private	
    Sr. Security Specialist | 313/577.2126
    Wayne State University  | 313/577.1338 fax
    C&IT Information Security Office: http://security.wayne.edu
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 18 2002 - 10:23:16 PST