Re: Kaiten.exe DoS ?

[Frijole <frijole () CLAS NET>]

this appears to be a ddos tool for irc. from kaiten.c help function
(http://packetstorm.securify.com/DoS/kaiten.c):

void help(int sock, char *sender, int argc, char **argv) {
 if (mfork() != 0) return;
 Send(sock,"NOTICE %s :GET <http address> <save as>                     =
Downloads a file off the web and saves it onto the hd\n",sender); sleep(2);
 Send(sock,"NOTICE %s :TSUNAMI <target> <secs>                          =
Special packeter that wont be blocked by most firewalls\n",sender);
sleep(2);
 Send(sock,"NOTICE %s :NICK <nick>                                      =
Changes the nick of the knight\n",sender); sleep(2);
 Send(sock,"NOTICE %s :GETSPOOF                                         =
Gets the current spoofing\n",sender); sleep(2);
 Send(sock,"NOTICE %s :PAN <target> <secs>                              = An
advanced syn flooder that will kill most network drivers\n",sender);
sleep(2);
 Send(sock,"NOTICE %s :UDP <target> <port> <secs>                       = My
special++ exploit\n",sender); sleep(2);
 Send(sock,"NOTICE %s :SPOOFS <subnet>                                  =
Changes spoofing to a subnet\n",sender); sleep(2);
 Send(sock,"NOTICE %s :DNS <host>                                       =
DNSs a host\n",sender); sleep(2);
 Send(sock,"NOTICE %s :CHECKSUM <on/off>                                =
Turns checksum on or off\n",sender); sleep(2);
 Send(sock,"NOTICE %s :IRC <command>                                    =
Sends this command to the server\n",sender); sleep(2);
 Send(sock,"NOTICE %s :SH <command>                                     =
Executes a command\n",sender); sleep(2);
 Send(sock,"NOTICE %s :KILLALL                                          =
Kills all current packeting\n",sender); sleep(2);
 Send(sock,"NOTICE %s :KILL                                             =
Kills the knight\n",sender); sleep(2);
 Send(sock,"NOTICE %s :DISABLE                                          =
Disables all packeting from this knight\n",sender); sleep(2);
 Send(sock,"NOTICE %s :ENABLE                                           =
Enables all packeting from this knight\n",sender); sleep(2);
 Send(sock,"NOTICE %s :VERSION                                          =
Requests version of knight\n",sender); sleep(2);
 Send(sock,"NOTICE %s :HELP                                             =
Displays this\n",sender);
 exit(0);
}


Youn Gonzales
System Administrator
CLAS Net Inc.
Comptia A+, Network+
Cisco CCNA
Chicken is tasty..


----- Original Message -----
From: "C Boening" <txfmfdoc () HOME COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Sunday, May 06, 2001 9:45 AM
Subject: Kaiten.exe DoS ?


> Has anyone ever heard of a DoS named Kaiten? I  have been able to find
> only one relevant reference on the net for kaiten.c ,  which lists the
> code for it. I  have found on one of my servers a program nammed
> Kaiten.exe (installed on 15 April 01, two minutes AFTER someone hacked
> into one of our other servers using the IIS unicode exploit.The intruder
> put kaiten.exe at the end of his script used to hack in) for which I
> have found absolutely no info anywhere. OS is WinNT server 4.0 . File
> size for Kaiten.exe is 52 k's, whereas the kaiten.c is only 32 k's. I am
> new to the whole security business, moving up from tech support... I
> have copied Kaiten.exe on an NT box removed from the network and sure
> enough it tried to connect to the internet ...