Security Incidents: Re: find_ddos results

[Christophe Dubois <dubois () RENATER FR>]

Hi !

It means your box has been compromised.

The Stacheldraht daemon (leaf) appears not to be configured to work
(because the Stacheldraht master IP is 3.3.3.3).

Well, we have seen a lot of such daemons on compromised boxes which
were not configured too. Each time, it appeared to be part of the
t0rnkit. The default installation path of the t0rnkit is
/usr/src/.puta. Perhaps you should have a look there. However, you
can find the t0rnkit path with the 'strings' command. Simply try:
strings /bin/netstat | more
then read the line below 'Fred Baumgarten'. You will find the config
file for the t0rnkit netstat (and should find plenty of other files
there).

There are certainly also a lot of stuff in the path /proc/23043.

I expect at least a trojaned sshd listening on a high port, and may be
a 'leeto's socket daemon' listening on port 510/tcp or 511/tcp (it is
a file usually named /usr/sbin/in.inetd).

Best regards,

Christophe DUBOIS.
CERT-Renater.

Karl Malivuk wrote:
> Security Focus;
> I am new to UNIX/Linux and just brought my first Linux box online. I am
> using it as a test machine before bringing up as a production host. I just
> received and installed find_ddos this morning and got the log listed below.
> I sent a copy to our campus security director who suggested I contact you.
> Where do I go from here?
> Thanks
> Karl
>
> ---------- Forwarded Message ----------
> Date: Monday, November 13, 2000, 12:31 PM -0700
> From: "David Grisham CIRT Security Admin." <dave () unm edu>
> To: root <kmalivuk () unm edu>
> Subject: Re: find_ddos
>
> I really don't know.  The people at incidents () security focus.com can
> help.  Subscribe and ask them or write to dsig () unm edu   Cheers.-grish
>
> On Mon, 13 Nov 2000, root wrote:
>
> > David;
> > I just now installed find_ddos, ran it, and was presented with the
> > following log:
> >
> >
> > Log started for cfatest at Mon Nov 13 11:47:49 2000
> >
> > Scanning running processes:
> >
> > /proc/23043/exe:
> >  identified as: stacheldraht daemon
> >  with no symbol table
> >  with the following differences:
> >   missing string: Error sending syn packet.
> >   missing string: nohup ./%s
> >   missing string: rcp %s () %s:sol.bin %s
> >   missing string: rm -rf %s
> >   missing string: sicken
> >   missing string: ttymon
> >  IP address found: 3.3.3.3 (spoofed address)
> >  Grabbing: /proc/23043/exe
> >   to: /usr/local/find_ddos/files/23043
> >
> > Scanning "/tmp":
> > Scanning "/":
> >
> > Log finished Mon Nov 13 11:50:32 2000
> >
> >
> >
> > Sadly, I'm still too ignorant to know what to do about it. Should I
> > simply delete this or should I be doing an additional corrective
> > measure?
> > Thanks
> > Karl
> Karl Malivuk
> Sr LAN Administrator,
> College of Fine Arts
> University of New Mexico