RE: dtspcd probes toward Solaris machines

From: James C. Slora Jr. (Jim.Slora@phra.com)
Date: 01/18/02 

From: Jim.Slora@phra.com (James C. Slora Jr.)
To: "Scott Fendley" <scottf@uark.edu>, "Intrusions List" <intrusions@incidents.org>
Date: Fri, 18 Jan 2002 08:55:30 -0500

Scott -

We have had one probe that fits the description, and a couple of possibly
related hits, starting December 8. Some of the traffic is _from_ 6112 rather
than to it. Only one hit is both from and to 6112. We don't have any root
kits left by the attacker(s).

Our logs showed no SYN or RST packets to go along with the RST ACK's in
December. The high destination ports did not correspond with user activity
that was occurring at the time.

Log field descriptions and the packets are below. Times are Greenwich Mean
Time (GMT).

#Fields: date time source-ip destination-ip protocol param#1 param#2
tcp-flags

2001-12-08 09:39:25 63.240.202.138 xx.xx.xx.170 Tcp 6112 65427 RST ACK
Header: 45 00 00 28 e5 4e 00 00 73 06 75 45 3f f0 ca 8a xx xx xx aa
Data: 17 e0 ff 93 00 00 00 00 80 3f 72 68 50 14 00 00 b8 78 00 00

2001-12-09 19:07:12 63.240.202.138 xx.xx.xx.170 Tcp 6112 65441 RST ACK
Header: 45 00 00 28 2d 93 00 00 73 06 2d 01 3f f0 ca 8a xx xx xx aa
Data: 17 e0 ff a1 00 00 00 00 d0 ba f8 c9 50 14 00 00 e1 8d 00 00

2001-12-31 09:36:48 209.207.216.179 xx.xx.xx.170 Tcp 6112 6112 SYN
Header: 45 00 00 28 49 1d 00 00 79 06 6b 6e d1 cf d8 b3 xx xx xx aa
Data: 17 e0 17 e0 24 fc 7e f8 0d 27 b8 08 50 02 e0 58 a9 60 00 00

- Jim

-----Original Message-----
From: Scott Fendley [mailto:scottf@uark.edu]
Sent: Thursday, January 17, 2002 6:48 PM
To: Intrusions List
Cc: incidents@securityfocus.com
Subject: dtspcd probes toward Solaris machines

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings everyone. My apologies for the cross post, but I am doing
research presently on the dtspcd vulnerability that affects Solaris (and
other venders) running CDE.

I have now recorded a successful intrusion on a computer on my network that
appears to be related to this vulnerability. I also showed yesterday that
I had a host involving a customer of Verio's that probed a handful of
machines closer to my office hitting 6112/tcp.

I was driving back from Dallas last night and hadn't finished deploying a
new IDS machine at our border, so I missed catching any traffic details
involving this exploit. I went looking back through email from various
security lists, and see that there may have been probes since early
December to this port. This is approximately a month after the initial
advisory by Xforce. So these probes in December may be some tests of a
new tool the black hats have been developing.

So I have several questions for you collectively.

1) Does anyone have a snort/tcpdump trace of the exploit that I can look at
and analyze?

2) Have any of the rest of you seen scans for port 6112, and can see when
the scans first started for your network?

3) Have any of you caught a copy of the exploit software somehow that would
be willing to let me disect?

4) Have any of you seen a DoS being generated after the computer is
exploited?

Thanks for all of your assistance, and if you would like a copy of my
general report (obfuscation will occur) let me know. Thanks.

Scott Fendley

- ---
Scott Fendley scottf@uark.edu
Systems/Security Analyst (501) 575-2022
University of Arkansas (501) 575-4753

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPEdixUz/L9XvbeTgEQLl+wCgjmLRgUgl2VN2jNnHYwWKzmodcFsAoJM0
ormnD4GB7fnyzU9ROSj6S0wh
=U9rx
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
    ... > non-critical patches. ... just did stealth scan again nd the result is shown below. ... FTP DATA 20 BLOCKED This port has not responded to any of our probes. ...
    (comp.security.firewalls)
  • Re: port 22 scans + 53 scans
    ... port 22 scans + 53 scans ... The tcp:53 probes seem to be some sort of distance-metrics/load ... balancing activity. ... > If firewalls are dropping these packets, ...
    (Incidents)
  • RE: TCP port 5000 syn increasing
    ... > port scans. ... IMHO it has *never* been sufficient to simply count and analyse probes ... The ability to say "12.53 % of unsolicited traffic at my network ... Security Linux, the comprehensive security solution that combines six ...
    (Incidents)
  • Re: Port 20110 - sudden increase - why?
    ... > My linux firewall at home has logged a sudden increase in probes to port ... > 7 195.029.098.166 Croatian Telecom ... port, to anything else that randomly picks dynamic ports (real player, media ...
    (comp.security.firewalls)
  • FW: Lioten Worm 135-139 and 445
    ... This came from the incidents.org list this am. Figured I'd pass it along since I've seen some discussion about port 445 probes come up lately. ... Incidents.org reports the Lioten worm as active. ... http://www.sarc.com/avcenter/venc/data/w32.hllw.lioten.html (signature not ...
    (Incidents)