Re: dtspcd probes toward Solaris machines
From: Lance Spitzner (lance@honeynet.org)Date: 01/18/02
- Previous message: James C. Slora Jr.: "RE: dtspcd probes toward Solaris machines"
- In reply to: Scott Fendley: "dtspcd probes toward Solaris machines"
- Next in thread: Nathan W. Labadie: "Re: dtspcd probes toward Solaris machines"
- Reply: Nathan W. Labadie: "Re: dtspcd probes toward Solaris machines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jan 2002 10:55:40 -0600 (CST) From: Lance Spitzner <lance@honeynet.org> To: Scott Fendley <scottf@uark.edu>
On Thu, 17 Jan 2002, Scott Fendley wrote:
> Greetings everyone. My apologies for the cross post, but I am doing
> research presently on the dtspcd vulnerability that affects Solaris (and
> other venders) running CDE.
>
> I have now recorded a successful intrusion on a computer on my network that
> appears to be related to this vulnerability. I also showed yesterday that
> I had a host involving a customer of Verio's that probed a handful of
> machines closer to my office hitting 6112/tcp.
The Honeynet Project has released the network capture of the
dtspcd attack. This is the same information that was sent to
CERT for their analysis, and is the same data that was used
to develop the advisory. It is hoped that this information can
help organizations better identify these attacks. We do not
have the actual exploit tool used in the attack.
> 1) Does anyone have a snort/tcpdump trace of the exploit that I can look at
> and analyze?
You can find the attack capture at the Honeynet Project site:
http://project.honeynet.org/scans/dtspcd/dtspcd.txt
> 4) Have any of you seen a DoS being generated after the computer is exploited?
Yes, the attacker returned six days later and attempted to use the
honeypot as a DoS base. He used the tool 'juno', a SYN flooder that
creates spoofed loopback packets.
Hope this helps!
lance
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: James C. Slora Jr.: "RE: dtspcd probes toward Solaris machines"
- In reply to: Scott Fendley: "dtspcd probes toward Solaris machines"
- Next in thread: Nathan W. Labadie: "Re: dtspcd probes toward Solaris machines"
- Reply: Nathan W. Labadie: "Re: dtspcd probes toward Solaris machines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
