[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: IP: new DoS attack
>X-Sender: laubach@sogo.matmos.com >Date: Wed, 6 Sep 2000 12:01:32 -0700 >To: farber@cis.upenn.edu >From: Mark Laubach <laubach@matmos.com> >Subject: Fwd: new DoS attack > >Dunno validity, but interesting. >Mark > >--- begin forwarded text > > >Delivered-To: firewalls@lists.gnac.net >Reply-To: <gkhunter@bgnetworking.com> >From: "Gregory K Hunter \(BG Networking\)" <gkhunter@bgnetworking.com> >To: "Firewalls \(E-mail\)" <firewalls@Lists.GNAC.NET> >Subject: new DoS attack >Date: Wed, 6 Sep 2000 11:43:57 -0700 >X-Priority: 1 (Highest) >Importance: High >Sender: firewalls-owner@Lists.GNAC.NET >X-Loop: firewalls@lists.gnac.net > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Internet Security Systems Security Alert >September 5, 2000 > >Trinity v3 Distributed Denial of Service tool > >Synopsis: >A new Distributed Denial of Service tool, "Trinity v3", has been >discovered in the wild. There have been reports of up to 400 hosts >running >the Trinity agent. In one Internet Relay Chat (IRC) channel on the >Undernet network, there are 50 compromised hosts with Trinity >running, >with new hosts appearing every day. It is not known how many >different >versions of Trinity are in the wild. > >Impact: > >Distributed Denial of Service attacks can bring down a network by >flooding >target machines with large amounts of traffic. In February of this >year, >several of the Internet's biggest websites, including Yahoo, >Amazon.com, >Ebay and Buy.com were taken down for extended periods of time by >tools >similar to Trinity. > >Description: > >Trinity is a Distributed Denial of Service tool that is controlled by >IRC. >In the version that the X-Force has been analyzing, the agent binary >is >installed on a Linux system at /usr/lib/idle.so. When idle.so is >started, >it connects to an Undernet IRC server on port 6667. There is a list >of >servers in the binary: > >204.127.145.17 >216.24.134.10 >208.51.158.10 >199.170.91.114 >207.173.16.33 >207.96.122.250 >205.252.46.98 >216.225.7.155 >205.188.149.3 >207.69.200.131 >207.114.4.35 > >When Trinity connects, it sets its nickname to the first 6 characters >of >the host name of the affected machine, plus 3 random letters or >numbers. >For example, the computer named machine.example.com would connect and >set >its nickname to machinabc, where abc is 3 random letters or numbers. >If >there is a period in the first 6 characters of the host name, the >period >is replaced by an underscore. In our copy of Trinity, it joins the >IRC >channel #b3eblebr0x using a special key. Once it's in the channel, >the >agent will wait for commands. Commands can be sent to individual >Trinity >agents, or sent to the channel and all agents will process the >command. > >The flooding commands have this format: <flood> <password> <victim> ><time>, where flood is the type of flood, password is the agent's >password, victim is the victim's IP address, and time is the length >of >time to flood the agent, in seconds. The available flood types are >the >following: > >tudp: "udpflood" >tfrag: "fragmentflood" >tsyn: "synflood" >trst: "rstflood" >trnd: "randomflagsflood" >tack: "ackflood" >testab: "establishflood" >tnull: "nullflood" > >Other available commands include: > >ping: Ping each client. The client will respond with "(trinity) >someone >needs a miracle..." >size : Set the packet size for the flood, 0 for random. >port : Set which port to hit, 0 for random. >ver?: Get the agent's version. The agent X-Force is analyzing replies >with >" trinity v3 by self (an idle mind is the devil's playground)" > >Another binary found on affected systems is /var/spool/uucp/uucico. >This >binary is not to be confused with the real "uucico", which resides in >/usr/sbin, or other default locations such as /usr/lib/uucp. This is >a >simple backdoor program that listens on TCP port 33270 for >connections. >When a connection is established, the attacker sends a password to >get a >root shell. The password in the binaries that we have analyzed is >"!@#". >When the uucico binary is executed it changes its name to "fsflush". > >Recommendations: > >Scan all systems for port 33270 connections. If any connections are >found, >telnet to that port and type "!@#". A system has been compromised if >there >is a root shell present after a successful connection to port 33270. > >Use "ps" and "lsof" in the following manner to identify a port-shell >installed by Trinity: > ># /usr/sbin/lsof -i TCP:33270 >COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN) > ># /usr/sbin/lsof -c uucico >COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >uucico 6862 root cwd DIR 8,1 4096 306099 /home/jlarimer >uucico 6862 root rtd DIR 8,1 4096 2 / >uucico 6862 root txt REG 8,1 4312 306589 >/home/jlarimer/uucico >uucico 6862 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so >uucico 6862 root mem REG 8,1 4118299 416844 >/lib/libc-2.1.2.so >uucico 6862 root 0u CHR 136,2 4 /dev/pts/2 >uucico 6862 root 1u CHR 136,2 4 /dev/pts/2 >uucico 6862 root 2u CHR 136,2 4 /dev/pts/2 >uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN) > ># ps 6862 > PID TTY STAT TIME COMMAND > 6862 pts/2 S 0:00 fsflush > > >Since the Trinity v3 agent does not listen on any ports, it may be >difficult to detect unless you are watching for suspicious IRC >traffic. If >a machine that has a Trinity agent installed is found, it may have >been >completely compromised. The operating system must be completely >reinstalled along with any available security patches. > >Public chat systems can pose a legitimate security risk. It is up to >each >user's discretion to protect from malicious content distributed via >these >networks. > >ISS RealSecure already contains functionality that may aid in >detection of >Trinity. Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the >RealSecure console to help track IRC activity. These decodes can >detect >joins to the IRC channel #b3eblebr0x, as well as behavior associated >with >Trinity. In addition, security administrators may choose to enable a >connection event for TCP port 33270 to detect connections to the >portshell >that Trinity is installed on. > >ISS Internet Scanner can be configured to scan machines on your >network with the TCP Port Scanner turned on. The TCP Port Scanner can >be >enabled by selecting it under the Services category in the Policy >Editor. >The TCP Port Scanner should be configured to scan port 33270. If >machines >are found to be listening on this port, they may have the Trinity >portshell installed. > >The ISS X-Force will provide additional functionality to detect these >vulnerabilities in upcoming X-Press Updates for Internet Scanner, >RealSecure, and System Scanner. > >Additional Information: > >This information has been researched by Jon Larimer of >the Internet Security Systems X-Force. >______ > >About Internet Security Systems (ISS) >Internet Security Systems (ISS) is a leading global provider of >security >management solutions for the Internet. By providing industry-leading >SAFEsuite security software, remote managed security services, and >strategic consulting and education offerings, ISS is a trusted >security >provider to its customers, protecting digital assets and ensuring >safe >and uninterrupted e-business. ISS' security management solutions >protect >more than 5,500 customers worldwide including 21 of the 25 largest >U.S. >commercial banks, 10 of the largest telecommunications companies and >over 35 government agencies. Founded in 1994, ISS is headquartered in >Atlanta, GA, with additional offices throughout North America and >international operations in Asia, Australia, Europe, Latin America >and >the Middle East. For more information, visit the Internet Security >Systems web site at www.iss.net or call 888-901-7477. > >Copyright (c) 2000 by Internet Security Systems, Inc. > >Permission is hereby granted for the redistribution of this Alert >electronically. It is not to be edited in any way without express >consent of the X-Force. If you wish to reprint the whole or any part >of >this Alert in any other medium excluding electronic medium, please >e-mail xforce@iss.net for permission. > >Disclaimer > >The information within this paper may change without notice. Use of >this >information constitutes acceptance for use in an AS IS condition. >There >are NO warranties with regard to this information. In no event shall >the >author be liable for any damages whatsoever arising out of or in >connection with the use or spread of this information. Any use of >this >information is at the user's own risk. > >X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as >well >as on MIT's PGP key server and PGP.com's key server. > >Please send suggestions, updates, and comments to: X-Force >xforce@iss.net of Internet Security Systems, Inc. > >- -- >Regards, > >Gregory K Hunter >BG Networking >RLU# 187099 > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > >iQA/AwUBObaQbTqxit4AvJ4FEQIZvwCeISkJPClA/DlKx2/6ObiZptKcdpwAoN+3 >ezDgD2D6HYk9JaPYsC4ByUvq >=ZW8O >-----END PGP SIGNATURE----- > >- >[To unsubscribe, send mail to majordomo@lists.gnac.net with >"unsubscribe firewalls" in the body of the message.] > >--- end forwarded text > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC