Re: DoS Trojan on Solaris

[dbrumley () RTFM STANFORD EDU (David Brumley)]

Hi,
you're somewhat unclear as to what you need help with.  milk is a denial
of service tool that simply spits out packets as quickly as possible.  The
fact that rpc.ttdbserverd was replaced/truncated would indicate that was
the entry point.

Reinstalling from original media is probably your best bet.  You may think
you caught everything, but if you miss something the hacker will be back
at it again.

We could give you more information if you could paste the strings from the
really weird programs.

cheers,
david

On Wed, 2 Feb 2000, Roderick Padilla wrote:

> We received e-mail from an Admin in Brazil saying that one of his routers
> was under a DoS attack from one of my Solaris 2.6 boxes.
>
> We found a process called "milk" was running which was doing the DoS. The
> IP that was targeted was the one that we were told about. There was also
> another instance of "milk" that was running and targeting another IP from
> Brazil's backbone networks.
>
> It was discovered that the following programs had trojan replacements:
> /usr/lib/nfs/lockd
> /usr/lib/nfs/statd
> /usr/openwin/bin/rpc.ttdbserverd
> /usr/bin/login
> /usr/bin/ps
> /usr/bin/inetd
> /usr/sbin/in.rlogind
> /usr/sbin/login
>
> Although some of the timestamps for these programs had been forged, they
> all shared a creation time within one second, so we assume this was when
> the breakin occurred. We had another breakin in another non-related
> department on the same day that had many of the same fingerprints, so it is
> likely they were done by the same person(s).
>
> The trojan for /usr/lib/nfs/lockd was listening on port 20000. There was an
> active connection from an IP to that port at the time our security person
> began looking at the box, so it is possible this is where the hacker came
> from (or at least was the last place he came in from).
>
> /usr/ccs/... contained some programs that were his sniffer, DoS attacker,
> etc. The users of our Solaris box rebooted every couple of days because it
> would get very slow. We now know the lockd process respawning the DoS
> program (which used up lots of CPU) was slowing it down.
>
> Anybody with info on this please? Thanks!
>
> Roderick Padilla                           Office:(404) 651-3832
> Systems & Network Administrator       Fax:   (404) 651-3842
> http://www.cis.gsu.edu/~rpadilla              Email: rpadilla () gsu edu
>
> Department of Computer Information Systems
> J. Mack Robinson College of Business
> Georgia State University
> PO Box 4015
> Atlanta, Georgia, USA  30302-4015

--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."