Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IRC Botnet, Solaris in.named Vulnerability, Information about SuckIT Rootkit

Published: 2004-09-07
Last Updated: 2004-09-10 01:19:24 UTC
by David Goldsmith (Version: 1)
0 comment(s)
IRC Botnet Found and Shutdown

We received a report this morning from the Telenor Security Operations Center(SOC) of an IRC botnet. The network contained over 10000 clients. The server has now been shutdown. If you have network traffic logs, you may want to check for connections from your hosts/network to the IRC server -- it was listening on IP 203.81.40.172 tcp port 10009.

Solaris in.named Vulnerability

The Solaris in.named daemon process may cease proper functioning if it recieves an invalid DNS dynamic update. The Sun bulletin with information about the vulnerability and links to the patches can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57614-1

Information about SuckIT Rootkit

We receved a query today from Dan about a file he found on a Solaris system. George Bakos, one of the ISC Handlers, determined it to be a copy of the "suckit" rootkit. His reply included:

'On first inspection, it appears to be the linux kernel rootkit "suckit". Suckit is loaded directly into kernel memory, hiding its existence and allowing an attacker to remain on the box undetected while she maintains root-level control. A number of high-performance computing facilities have seen a lot of this activity on Linux and Sun systems. Stanford has a writeup at:

http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html

I would pay particular attention to other hosts that this machine may have been able to reach. Do you have packet-level logs of outgoing traffic from it?'

Keywords:
0 comment(s)
Diary Archives