Compromised System RH7.3-ICMP-STP-DoS
From: Ron Gedye (rgedye@hotmail.com)
Date: 12/20/02
- Previous message: Jacek Lipkowski: "port 3717/udp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ron Gedye" <rgedye@hotmail.com> To: incidents@securityfocus.com Date: Fri, 20 Dec 2002 15:38:20 -0600
(the message below was originally sent to bugtraq and it was recommended
that I forward to incidents. Also originally copied was redhat,
openssh.org, cisco, and lucent)
Please pardon and redirect me if this is not particularly the best forum for
these questions...
A colleague informed me of strange behavior on one of his UNIX (RH7.3)
systems.
Upon investigation I duplicated the behavior and observed an anomaly in
which the compromised system appeared to be demonstrating the ability to
communicate with other specific hosts using improper/encrypted data over
imcp response packets.
I am able to reset a router with a simple ping response from the host in
question once a telnet session is established.
I have observed an extremely high volume of traffic from this host,
triggered at a nearly specific time three days in a row, growing each day
finally to full DoS. (From stats and external observations only, I have as
of yet, been unable to record this traffic as the machine is now in
quarenteen)
The compromise is directly tied to an IP address; attempts to re-ip the
machine result in ifconfig displaying the original configuration and yet
allowing communication to both old & new ip. Under these conditions, a
specific 2nd hop destination never recieves an icmp echo request or other
traffic.
Although preliminary, it appears the compromise can be (temporarily?)
mitigated by rebooting the system with the new IP configuration, and returns
when the original IP config is booted to. This is possibly related to
specific routes assigned with the original config that are not present with
the new config. The original config places a specific router (mentioned
above) as the next hop to a number of networks; only one gw IP of which
appears to not recieve the echo requests or any other network communication.
(thought I saw an ICMP redirect packet from router one, but haven't seen it
since)
This host also, upon quick initial investigation, appears to be acting as a
root for Spanning Tree Protocol on a high port.
Two questions for the list:
1. Is there a preferred format that I should use when preparing my security
incident report?
I want to provide as much detail surrounding this issue and the environment
in which it occured to the list in a straight forward manner.
Although this appears to be an SSH related varient (only http and SSH open
externally),there appears to be behavior that I have not heard of; although
the recent Cisco SSH packet
vunerability as well as the EIGRP postings give me more food for thought.
2. Are the better (more appropriate), or other lists to which one would
recommend that I pose these and other questions and observations to before
completing the formal report? I would like to gain insight from others and
get recommendations for toolsets and procedures to track down this specific
compromise.
Thank you for your time.
Personal responses are welcome, as the are probably more appropriate at this
time.
_________________________________________________________________
The new MSN 8: smart spam protection and 3 months FREE*.
http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU
http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: gminick: "Re: hpd, afb, sc, and sn"
- Previous message: Jacek Lipkowski: "port 3717/udp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
