* * * * *
“I have a bad feeling about this.”
On Monday (which I didn't report), I went to Atlantic Internet [1] to do some
consulting. One of the salespeople there is involved in some projects and I
was brought in to help.
While there, the box being used, a RedHat 6.0 distribution, appeared to have
been compromised. No like my roommate's box [2] but still, syslogd wasn't
running like it should, and there appeared to be an abnormal amount of
httpd's running, but it's a webserver so I didn't think anything of it.
I shut off ftpd and added entries to /etc/hosts.allow and /etc/hosts.deny
until it could be patched up or upgraded.
Fast forward to today (way early or way late, take your pick) and I'm reading
Slashdot [3] when I come across the article [4] about some recent DoS attacks
against some very large sites. In the discussion, I follow one of the links
to an analysis of stacheldraht, [5] a program that is suspected to have been
used in the DoS. And the code seems to have been written for Solaris 2.x and
Linux, specifically the RedHat 6.0 distribution.
> Like TFN, C macros ("config.h") define values used for expressing commands,
> replacement argument vectors ("HIDEME" and "HIDEKIDS") to conceal program
> names, etc.:
>
> -----[ C ]-----
> #ifndef _CONFIG_H
>
> /* user defined values for the teletubby flood network */
>
> #define HIDEME "(kswapd)"
> #define HIDEKIDS "httpd"
> #define CHILDS 10
> -----[ END OF LINE ]-----
>
The box in question, like I stated, is a RedHat 6.0. What I haven't mentioned
is that it's sitting behind a T3. And there were an abnormally large number
of httpd's running.
I have a bad feeling about this.
[1]
http://www.aibusiness.net/
[2]
gopher://gopher.conman.org/0Phlog:2000/01/30.1
[3]
http://slashdot.org/
[4]
http://slashdot.org/article.pl?sid=00/02/08/0344217&mode=flat
[5]
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
Email author at
[email protected]
