RE: DDoS Attacks to several Networks (Switzerland)

From: List-Collector (auto-list@softplus.net)
Date: 12/21/01 

From: "List-Collector" <auto-list@softplus.net>
To: <incidents@securityfocus.com>
Date: Fri, 21 Dec 2001 00:31:24 +0100

Hi Michi

Being also located in Switzerland, I just wanted to let you know that we did
not have any problems with a DDoS; But we did also have a problem with a
Suse 6.2 Linux-Box which was also owned through the SSH hole. The system was
scaned around 15:40 (Dec 18, CET) and attacked and entered around 22:10. The
attacker left quite a few files (and log entries :-)) and two e-mails which
didn't make it out our gateway (to lostlov3@yahoo.com and tcplog@yahoo.com).

He made a directory /mc apparently with a rootkit in a file "lamerk.tar.gz".
Its install-script shows that it replaced a few commands and installed a
http-backdoor (alya.cgi). Separatly in /etc/claudiu/scanssh the tool
"scanssh" was installed.

Around 03:30 (Dec 19, CET) the system recieved a couple large ICMP Packets
and started the scanssh on a big block of systems. 

---

I pulled together the logs along with most of the files (scanssh was erased
by a trigger-happy admin :-)), if anyone is interested.

I've filed a complaint with the ISPs mentioned in the logs, is there
anything else I need to do (besides clean/replace the system)? Is there some
place I could get more information about the kits involved here?

Thanks

John Mueller

=======================================================
SOFTplus Entwicklungen GmbH  -  Software fuer Therapien
Laettichstrasse 8    /   CH-6340 Baar   /   Switzerland
Tel. 041/763 32 32 Fax: 041/763 30 90  www.softplus.net
=======================================================

> -----Original Message-----
> From: michi@digicomp.ch [mailto:michi@digicomp.ch]
> Sent: Thursday, December 20, 2001 6:12 PM
> To: incidents@securityfocus.com
> Subject: DDoS Attacks to several Networks (Switzerland)
>
>
> Hello there,
>
> Thuesday we've had a DDoS coming from 500 different sources. It was a
> "tcp-packet-flood" to unpriviledged ports. The DDoS take our network down
> for 2 hours. I called our ISP to block some IP's which has been spammed
> with these packets. There wasn't any sheme in the source IP's, looked like
> they were spoofed, 500 different hosts are a lot. At the same time two
> networks of friends (all in Switzerland) were DDoSed also, with
> same sheme.
> One friend reported that at the same time one box which was running an old
> version of ssh was owned, or probably owned by the same guy who did the
> DDoS.
> I think the "attacker" has found the ip's to attack on IRC. The attacks
> started from 2pm until 5pm (CET).
>
> Greetings
>
> Michi
> -------------------------------------------------
> DIGICOMP AG
> Michi Zaugg
> Network & Security
> Limmatstr. 50
> 8005 Zuerich
>
> mailto: michi@digicomp.ch
> mob: +41 (0) 79 245 75 34
> tel: +41 (0) 1 447 21 46
> fax: +41 (0) 1 447 21 51
> -------------------------------------------------
> - we're the dot in .digicomp
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com