dtspcd compromises

From: Russell Fulton (R.FULTONat_private)
Date: Sun Jan 20 2002 - 23:26:34 PST

  • Next message: quentynat_private: "Panz root kit"

    Just an FYI:
    
    Early this morning (0220 local time, Monday) we had a couple of SUN
    machines compromised via dtspcd.  The exploit started a second copy of
    inetd with a configuration file /tmp/x which bound a root shell on 1524
    (ingresslock).  
    
    Later in the morning (0800) one of the machines started a synflood
    attack on another machine on our network.  This combined with the fact
    that the attack originated from a local ISP strongly suggests this is
    the work of some of our students, sigh...
    
    No root kit was installed and no other back doors found, we are
    reinstalling anyway, of course...
    
    The snort rules in the experimental rules file picked up the attack.
    
    -- 
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 07:39:01 PST