Re: dtspcd probes toward Solaris machines

From: Nathan W. Labadie (ab0781@wayne.edu)
Date: 01/18/02


From: "Nathan W. Labadie" <ab0781@wayne.edu>
To: Lance Spitzner <lance@honeynet.org>, Scott Fendley <scottf@uark.edu>
Date: Fri, 18 Jan 2002 13:10:36 -0500

We recently had the same situation. Three machines across campus were
compromised with the dtspcd exploit, and the attacker later used the
machines to launch a DoS that completely filled up our pipe.

The IDS (snort) detected the intrusion as "SHELLCODE sparc NOOP"
destined for port 6112. It looked something like this (wrapped):

01/16-20:31:19.725157 [**] [1:645:2] SHELLCODE sparc NOOP [**]
[Classification: Executable code was detected] [Priority: 1] {TCP}
202.214.78.93:3787 -> x.x.x.x:6112

The actual contents of the exploit itself are identical to the one
listed at http://project.honeynet.org/scans/dtspcd/dtspcd.txt.

On Friday 18 January 2002 11:55 am, Lance Spitzner wrote:
> On Thu, 17 Jan 2002, Scott Fendley wrote:
> > Greetings everyone. My apologies for the cross post, but I am
> > doing research presently on the dtspcd vulnerability that affects
> > Solaris (and other venders) running CDE.
> >
> > I have now recorded a successful intrusion on a computer on my
> > network that appears to be related to this vulnerability. I also
> > showed yesterday that I had a host involving a customer of Verio's
> > that probed a handful of machines closer to my office hitting
> > 6112/tcp.
>
> The Honeynet Project has released the network capture of the
> dtspcd attack. This is the same information that was sent to
> CERT for their analysis, and is the same data that was used
> to develop the advisory. It is hoped that this information can
> help organizations better identify these attacks. We do not
> have the actual exploit tool used in the attack.
>
> > 1) Does anyone have a snort/tcpdump trace of the exploit that I can
> > look at and analyze?
>
> You can find the attack capture at the Honeynet Project site:
>
> http://project.honeynet.org/scans/dtspcd/dtspcd.txt
>
> > 4) Have any of you seen a DoS being generated after the computer
> > is exploited?
>
> Yes, the attacker returned six days later and attempted to use the
> honeypot as a DoS base. He used the tool 'juno', a SYN flooder that
> creates spoofed loopback packets.
>
> Hope this helps!
>
> lance
>
>
>
> ---------------------------------------------------------------------
>------- This list is provided by the SecurityFocus ARIS analyzer
> service. For more information on this free incident handling,
> management and tracking system please see:
> http://aris.securityfocus.com

-- 
Nathan W. Labadie       | ab0781@wayne.edu	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: [Full-disclosure] Denial of Service in WordPress
    ... How will that lead to DoS? ... Attack exactly overload web sites presented in endless loop of redirects. ... Browsers vendors long time ago became fighting with such state - ... February 2009 in my article Hellfire for redirectors. ...
    (Full-Disclosure)
  • Re: whats the best virus protection
    ... >> haven't they now been given the go ahead to lauch DOS attacks against ... > give the content industry the legal power to attack infringers (DoS'ing ... [quote from "Steal This File Sharing Book - What They Wont Tell You About ... Martin Spencer-Ford ...
    (alt.comp.anti-virus)
  • RE: DOS ATTACK
    ... Subject: DOS ATTACK ... server which I guess is your problem. ... block traffic based on referrer. ...
    (Incidents)
  • PHP and remote execution
    ... not been fix that allows execution of code on the hosting server. ... he installed a DoS client and initiated 2 DoS ... so this clued us in that it was a rather local attack. ... was not launched via an interactive web script. ...
    (Security-Basics)
  • Re: [Full-disclosure] targetted SSH bruteforce attacks
    ... I have to access that box sometimes from other machines than my ... I have extremely good passwords that I change every ... SSH daemons using password auth exposed to the Internet _do_ get ... Is anyone else seeing this type of attack? ...
    (Full-Disclosure)