dtspcd compromises

[Russell Fulton <R.FULTON () auckland ac nz>]

Just an FYI:

Early this morning (0220 local time, Monday) we had a couple of SUN
machines compromised via dtspcd.  The exploit started a second copy of
inetd with a configuration file /tmp/x which bound a root shell on 1524
(ingresslock).  

Later in the morning (0800) one of the machines started a synflood
attack on another machine on our network.  This combined with the fact
that the attack originated from a local ISP strongly suggests this is
the work of some of our students, sigh...

No root kit was installed and no other back doors found, we are
reinstalling anyway, of course...

The snort rules in the experimental rules file picked up the attack.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com