Re: dtspcd probes toward Solaris machines

From: Nathan W. Labadie (ab0781@wayne.edu)
Date: 01/18/02


From: "Nathan W. Labadie" <ab0781@wayne.edu>
To: Lance Spitzner <lance@honeynet.org>, Scott Fendley <scottf@uark.edu>
Date: Fri, 18 Jan 2002 13:10:36 -0500

We recently had the same situation. Three machines across campus were
compromised with the dtspcd exploit, and the attacker later used the
machines to launch a DoS that completely filled up our pipe.

The IDS (snort) detected the intrusion as "SHELLCODE sparc NOOP"
destined for port 6112. It looked something like this (wrapped):

01/16-20:31:19.725157 [**] [1:645:2] SHELLCODE sparc NOOP [**]
[Classification: Executable code was detected] [Priority: 1] {TCP}
202.214.78.93:3787 -> x.x.x.x:6112

The actual contents of the exploit itself are identical to the one
listed at http://project.honeynet.org/scans/dtspcd/dtspcd.txt.

On Friday 18 January 2002 11:55 am, Lance Spitzner wrote:
> On Thu, 17 Jan 2002, Scott Fendley wrote:
> > Greetings everyone. My apologies for the cross post, but I am
> > doing research presently on the dtspcd vulnerability that affects
> > Solaris (and other venders) running CDE.
> >
> > I have now recorded a successful intrusion on a computer on my
> > network that appears to be related to this vulnerability. I also
> > showed yesterday that I had a host involving a customer of Verio's
> > that probed a handful of machines closer to my office hitting
> > 6112/tcp.
>
> The Honeynet Project has released the network capture of the
> dtspcd attack. This is the same information that was sent to
> CERT for their analysis, and is the same data that was used
> to develop the advisory. It is hoped that this information can
> help organizations better identify these attacks. We do not
> have the actual exploit tool used in the attack.
>
> > 1) Does anyone have a snort/tcpdump trace of the exploit that I can
> > look at and analyze?
>
> You can find the attack capture at the Honeynet Project site:
>
> http://project.honeynet.org/scans/dtspcd/dtspcd.txt
>
> > 4) Have any of you seen a DoS being generated after the computer
> > is exploited?
>
> Yes, the attacker returned six days later and attempted to use the
> honeypot as a DoS base. He used the tool 'juno', a SYN flooder that
> creates spoofed loopback packets.
>
> Hope this helps!
>
> lance
>
>
>
> ---------------------------------------------------------------------
>------- This list is provided by the SecurityFocus ARIS analyzer
> service. For more information on this free incident handling,
> management and tracking system please see:
> http://aris.securityfocus.com

-- 
Nathan W. Labadie       | ab0781@wayne.edu	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com