[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-team] warning sysadmins: *new DDoS*



Un DDoS contrôlé par IRC..le pied total! ;-))))

Internet Security Systems Security Alert September 5, 2000 
A new Distributed Denial of Service tool, "Trinity v3", has been discovered
in the wild. There have been reports of up to 400 hosts running the Trinity
agent. In one Internet Relay Chat (IRC) channel on the Undernet network,
there are 50 compromised hosts with Trinity running, with new hosts
appearing every day. It is not known how many different versions of Trinity
are in the wild. 
(...)
Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at /usr/lib/idle.so. When idle.so is started, it
connects to an Undernet IRC server on port 6667. There is a list of servers
in the binary: 204.127.145.17 216.24.134.10 208.51.158.10 199.170.91.114
207.173.16.33 207.96.122.250 205.252.46.98 216.225.7.155 205.188.149.3
207.69.200.131 207.114.4.35 When Trinity connects, it sets its nickname to
the first 6 characters of the host name of the affected machine, plus 3
random letters or numbers. For example, the computer named
machine.example.com would connect and set its nickname to machinabc, where
abc is 3 random letters or numbers. If there is a period in the first 6
characters of the host name, the period is replaced by an underscore. In our
copy of Trinity, it joins the IRC channel #b3eblebr0x using a special key.
Once it's in the channel, the agent will wait for commands. Commands can be
sent to individual Trinity agents, or sent to the channel and all agents
will process the command. 
(...)
Another binary found on affected systems is /var/spool/uucp/uucico. This
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as /usr/lib/uucp. This is a
simple backdoor program that listens on TCP port 33270 for connections. When
a connection is established, the attacker sends a password to get a root
shell. The password in the binaries that we have analyzed is "!@#". When the
uucico binary is executed it changes its name to "fsflush". Recommendations:
Scan all systems for port 33270 connections. If any connections are found,
telnet to that port and type "!@#". A system has been compromised if there
is a root shell present after a successful connection to port 33270. 
(...)
more info on: http://xforce.iss.net/alerts/advise59.php

---
Vincent Jamart, Sgt.
AIX System Administrator
22 Log. Wing -XSU
BELGIAN AIR FORCE
tf: +32-2/701.23.02
fax: +32-2/701.59.32
mail: JamartV@baf.mil.be
------------------------------------
'A message said "Requires Windows 95 or better", so I installed LINUX.'

--------
Visit the Linux Supertore Online: http://www.redcorp.com !
If you want to be deleted from the list, send a mail to
majordomo@rtfm.be with "unsubscribe linux-team" in the body.
Archive of the list: http://tania.be.linux.org/