Trinity DDoS Discovered

BulletValentine writes "ZDNet is reporting that approximately 400 machines have been found to be running Trinity v3, a DDoS attack program. Supposedly Trinity can set up to eight different types of flood attacks. ZDNet referred readers to Internet Security Solutions for more information about the attack and precautions to take."

Too many announcements

[Denor]

ZDNet is reporting that approximately 400 machines have been found to be running Trinity v3

You know you've been browsing too many software announcements when you see that paragraph and yell "For the last time, this is not Freshmeat!"

Freaky...

[Paladin128]

The thought that someone could remotely tell an infected box to DoS a box is unreal. It's so simple, yet brilliant, yet scary. Does anyone know how this gets distributed to a box? Does someone purposefully have to install it or is it a Trojan Horse?

"Evil beware: I'm armed to the teeth and packing a hampster!"

Re:Freaky...

[itarget]

For the most part it's a script kiddie effort.

Step 1: Obtain pre-made buffer overflow tool of the week.
Step 2: Sweep blocks of IP addresses for vulnerable machines (it's frighening how many publically accessible boxes aren't hardened).
Step 3: Gain access to vulnerable machines by "rooting" them, usually with a premade rootkit (most malicious attackers actually have no idea how most of the tools they use or the systems they're breaking into, work).
Step 4: With this newfound access to often many machines in a single sweep, install whatever you want (eg: Trinity) on them all.

Once the attacker has amassed enough machines to be his or her zombies, the attacker can trigger DDoS software on them all to hammer a specific site.

I don't know what's more frightening; the number of neglected servers running old, vulnerable services... or the growing number of home desktops with megabit+ net connections infected with remote administration trojans.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.

Re:Freaky...

[Inoshiro]

And unfortunately, because of how most admins are lazy, the only solution seems to be:

Step 1: get the latest exploits
Step 2: Sweep IP blocks for vulnerable machines
Step 3: gain access to them and install SSH, add your own user account, and change the root password.
Step 4: secure the box, leave a polite message about the admin needing to be fired, and remove any other traces of your passage.

Once we've secured enough machines through these methods, kiddies won't be able to use them. Unfortunately, a lot of people don't like the idea that they could possibly be insecure, and resist and sort of proactive effort to cut off clueless admins at the knees.

Look how much resistance the RBL and MAPS and ORBS get.. and they're just shutting down "rather harmless" open relays. Compare this with a fleet of rooted boxen, and you see how much more serious *this* issue is.
--

But somebody will read it

[systemapex]

Open source is great because, although this bug has been overlooked, somebody now has the opportunity to track it down and fix it in a few hours. Try that with closed source programs...you'd have to wait until the vendor shipped a patch.

Re:But somebody will read it

[Shokwave]

But that really has nothing to do with the story as posted.
Opensource has nothing to do with intelligent caution and care being taken. (Although it should) You don't patch a problem like this, you remain vigilant to prevent it. I mean you could hide this binary in any location under any name, have it listen to different IRC channels or even have it query a webpage at random times. How would you track that down?

I'm hanging out in #b3eblebr0x

[waldoj]

I'm hanging out in #b3eblebr0x. You know, because this way I can keep an eye on the little buggers.

Hey...where'd all my bandwidth go?

-------------------

Great, another thing to set my flow analyser for.

[Shokwave]

But I do appreciate earlyish warnings like this.
It can keep me from having the campus getting whacked later. I just monitor for inbound connections to that port. (Or look in IRC sessions for the appropriate channels.) and have our security people follow up. MUCH better than them running around CLEANING up.

Only half the story.

[fatphil]

As alread noted, they haven't indicated how this gets transmitted, but they also don't say where the figure of 400 hosts comes from.
It looks like they wanted to be the first to break the story and didn't care about what they had to leave out to gt there first.

Bloody first posters! :-)

FatPhil

Re:Only half the story.

[Phexro]

according to this posting on the securityfocus INCIDENTS list, trinity is often propagated by the ever-popular rpc.statd exploit.

oh, and the guy who posted to INCIDENTS beat out iss by >1 week. :)

btw, trinity is old news to the skr1p+ k1ddi3 scene.
--

Re:Only half the story.

[segmond]

they are talking about a new version of trinity, not the first versions. just like anti-virus experts talk about a new strain of virus.

Re:Only half the story.

[fatphil]

Cheers,
I did look on security focus before I posted my first comment, but it was such _old news_ that it was no longer on the front pages (it's in the archive).
Now they have a link to the ZDNet article, which seems a waste of time considering how watered down it is.

Cheers again.
FatPhil

Use of IRC channel as an interface...

[torpor]

I found that part to be particularly amusing, for some strange reason. I know, it's an evil app, but I have to admire the interface. Might be a useful thing to use in legitimate administration systems - like maintaining a render farm, etc.

Maybe it's just me, but IRC seems like a cool way to go about doing that...

Having your own channel to issue commands to your compromised minions of systems, really really feels like something out of SnowCrash, or maybe even BatMan... :)

Better Article.

[peterdaly]

There is a much better article at http://xforce.iss.net/alerts/advise59.php .

-------

Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild.

The flooding commands have this format: , where flood is the type of flood, password is the agent's password, victim is the victim's IP address, and time is the length of time to flood the agent, in seconds. The available flood types are the following:

tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"


Other available commands include:


ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..." size : Set the packet size for the flood, 0 for random.
port : Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with " trinity v3 by self (an idle mind is the devil's playground)"

-------------
-Pete

So how do I know it is Trinity?

[thomasj]

Follow the white rabbit!

Re:So how do I know it is Trinity?

[WhyteRabbyt]

Follow the white rabbit!
Oi! Stop that.

Pax,

White Rabbit +++ Divide by Cucumber Error ++

Even though this is bad...

[paRcat]

it's really quite beautiful. I mean, send out a program, have it connect to a channel, and send it instructions through the channel. That's just plain cool.

While I know cracking is a bad thing, I think some of these guys should get an award for creative thinking. And to see a *real* cracker break into a system with definite, calculated measures... it's just... wow.

Sorry, I know they shouldn't be given extra reason to do this stuff, but I stand impressed.

Re:Even though this is bad...

[Erasmus+Darwin]

While I know cracking is a bad thing, I think some of these guys should get an award for creative thinking.

Creative? Nothing personal, but you've got pretty low standards for creativity. Using an IRC channel, you've got a single point of failure. It also becomes not too difficult to watch the channel and send out "your system has been compromised" mail to the various affected people.

If I wanted to do something like that, I'd probably use Usenet. Come up with a simple algorithm where messages get hashed into IP addresses to be flooded -- use something where it's not too difficult to invent a realistic-looking message that would contain a given target address. Then use something non-unique for the trigger mechanism (say, any e-mail address with 27 characters and 9 vowels). The downside is that with Usenet, you're dealing with a much more public mechanism, but the upside is that you've got much less central authority to stop an attack. And the added kicker is that you can't just go around accusing everyone with a matching e-mail address of being a cracker (but it'd still be to the cracker's benefit to do it from a disposable account).

Re:Even though this is bad...

[AugstWest]

Personally, I hate when any box I've got some access to or control of gets hacked.

However, I think that as we approach more and more intrusion on our privacy, especially our computer privacy, it isn't hard to see a Big Brother type situation in our future.

I see this kind of work as our "well-armed militia."

I think it's important that there are tools to take out tracking systems and privacy intrusion devices, just in case they are needed in the future.

Re:Even though this is bad...

[paRcat]

Well, all told, most cracks are easily fixed. That doesn't mean they weren't creative.

The Usenet thing is interesting, but the IRC thing was done first. Your version is simply improving on an existing crack, which is kinda kiddie-ish, IMO.

Re:Even though this is bad...

[huberj]

What I find amusing about this whole thing is a old script (tcl of course) for the eggdrop bot called 'flud' that was floating around irc botnets about 6 years ago. Only then, it was intentional ddos attacks, and they were targeted at irc users. ie, 'flud '...2 seconds later, oh look, they're not on IRC anymore :)

Re:Even though this is bad...

[Hartree]

paRcat wrote:

The Usenet thing is interesting, but the IRC thing was done first. Your version is simply improving on an existing crack, which is kinda kiddie-ish, IMO.

The IRC trick is a fairly old method used often by trojan programs to report back that a box has been hacked. Nothing that new here.

Re:Even though this is bad...

[paRcat]

Could the originals recieve commands through IRC? If not, then his is still a new idea.

400 Hosts?

[kevin42]

One pretty easy way to find infected hosts is to connect to the IRC server and start recording hostnames.

I'm really interested to find out how this was distributed though...

What?

[Shotgun]

Let me get this straight. There's a trojan floating around which requires some libraries be installed in secure locations, which requires root permissions. So the article goes on about how the trojan works, but gives not one indication of how the thing gets installed. Not to worry though, they have a product that will plug the hole for you.

Why do I smell old fish? It sounds to me that there is an attempt to sell a product by scare-mongering. How can an IRC chat session install files in a directory that requires root permissions? If someone is chatting in IRC as root and allows unchecked software to be installed from a remote server, aren't they getting what they deserve in the same way that I would get my just deserts from driving my car without motor oil? Open-source does not equate to security in spite of stupidity!!

Re:What?

[ichimunki]

The key here is that the systems have been compromised using a completely un-IRC-related flaw in rpc.statd (check securityfocus.com for more info). This has nothing to do with IRCing as root and allowing remote installs. The agent installed on the compromised machine then uses IRC to accept commands, either privately or from the public channel. An ingenious way to broadcast commands to clients, imho. This could be extended to download files/scripts on the fly via dcc transfers and/or to recognize commands as separate from idle chatter on the channel. On a LAN with IRCd on a secure server, this could be fun. As a tool for DDoS it's still crafty since it alleviates the need for the cracker to be logged into all the compromised machines or even to remember which machines are cracked-- they come to him/her.

Re:What?

[CmdData]

it does not matter because you still need to get those binaries in places that only root has access to. This would be the same as installing a new service under any OS. Plust the program must be SUID root. A normal IRC user on the system will not have access to SUID rooting a program.

Is this

[VFVTHUNTER]

the same Trinity from the Matrix? You know, the one who haxx0red the IRS code?

Your day can only be going so well, when you're quoting Keanu Reeves.

script kiddies, ready, set, go!

Posting this story may not be such a good idea. The uninformed reading this story are getting information then their interest will end. On the other hand, script kiddies are going to read this story and not stop when the /. article ends - they're going to look for and d/l Trinity v3. Kind of a catch-22, let news of this DoS incident get out, or supress it so it doesn't start more problems, hmmmm.
-- Sirius

Re:script kiddies, ready, set, go!

[BMIComp]

Whether or not to post stories like these, goes to the center of the argument of Security through Obscurity vs Full Discolsure of security problems.

Your comment points out the Security through Obscurity viewpoint on how to go about things. Rather than tell people as soon as you have problems, you try to hide them, as to prevent more people from finding out about them and therefore exploiting them.

The other viewpoint, of course, is that you tell everyone about these insecurities; even though you may be taking a risk by telling people who would exploit this information, you would also be telling system administrators who could then fix their systems, and therefore the script kiddies wouldn't be able to attack their system.

The major problem with security though obscurity, especially with trinity, is that if you don't let people know about trojans and such, it will still propogate, in underground scenes, which may even be more dangerous. DDoS tools, lame as they are, still can be very dangerous, especially when these tools are installed on machines with fast internet connections, and it is much more efficent to tell people about them than not.

Root these b*stards out

[nahtanoj]

I am so tired of hearing of these kinds of exploits. MS and Mac use these actions as an excuse to say the Unices are security hazards. Either these kiddies need to grow up or we must keep up our watch for these tools. Of course, I don't need to say this to most of you, but it is those that are lax in maintaining their machines that put others at risk.

nahtanoj

Re:Root these b*stards out

[rabidMacBigot()]

Nice sentiment, but I don't think Apple is trying to make Unix appear to be a security hazard - after all, they're transitioning to a Unixlike OS in 8 days...

Of course, if someone came out with a trojan that was just a bit of code and a makefile, anything from BeOS to NeXTStep could be a potential host. Has anything like that been spread before?

Funny name

[mholve]

"Trinity." Too funny. The same name given to the first US nuclear bomb project. ;>

Re:Funny name

[Woodmeister]

I believe the name of first nuclear weapons project in the US is The Manhattan Project. Trinity was the name of the first uncontrolled U-235 fission bomb, detonated in New Mexico.
--

Re:Funny name

[Yog-Soth]

don't be fooled. Trinity -- from The Matrix. "Trinity, eye hab r00t on joor box0rz!$"

DDoS and IRC

[FeeDBaCK]

Is it just me, or do *all* the DDoS tools seem to arise from IRC? I am not saying this as anything bad against IRC. I personally use IRC quite a bit and find it to be an excellent tool for communication. What really bothers me is the little "hax0r kiddiez" who have nothing better to do than attempt to take over channels and brag to each other how 1337 they are (*not*).

Honestly, this was probably conceived of so somebody could flood an irc server and get it to split from the rest of the network. Especially if it is using irc as a control interface.

I find this kind of thing quite prevalent in many places. I was speaking to a kid (he's only 15) the other day who "created" a local ls exploit just for fun. This kind of thing freaks me out.

Software like this gets put on servers either through social engineering (convincing the admin to install it) or even more commonly by finding systems with security holes that have been well documented, "rooting" the system, and installing anything the attacker deems neccessary. It is fairly simple to do this.

Use nmap to scan an ip range. Keep details on what OS/daemons it is running. Search all your favorite script kiddie sites for exploits on those systems. Use exploit. Get root. Install DDoS daemon. Flood IRC server.

Look how '1337 you are now (*not*)!!!

Re:DDoS and IRC

[happystink]

as I think we all know, IRC is a magnet for annoying people. I used to work at an ISP who got DOSed all the time because they let a customer run an irc server from an old machine there. Once they just got rid of the irc server they went forever without a single attack.

It's nice to say "you can't blame a protocol for these problems", but when 99% of the protocol's users are annoying 12 yr olds, then I do.

sig:

Re:DDoS and IRC

[Trevor+Goodchild]

Software like this gets put on servers either through social engineering (convincing the admin to install it) or even more commonly by finding systems with security holes that have been well documented, "rooting" the system, and installing anything the attacker deems neccessary. It is fairly simple to do this.

Y'know, whenever something like this happens you all (well, many of you) instantly start spouting about script kiddies, making it seem like these DDoS attacks:
a) Are pranks by kids who don't know any better
b) Require no real skills whatsoever.

What is being described here requires quite a bit of time and intelligence to create and deploy, and in using IRC to issue commands it's also one helluva nifty hack.

How many of you who say doing this stuff is "easy" could actually pull it off? "They just run root kits and install whatever they want." Oh really? And how does that work? Here's an IP. Go at it and impress me. The clock is ticking.

I'm sure quite a few readers could pull this off very quickly, but I'm also fairly sure that they aren't the ones yelling "script kiddie", either.

There is skill and dedication involved here, even if it's not to the level of those who author the tools. I think by trying to belittle the perpetrators, people are really just trying to make the problem seem much less severe than it actually is, and thereby make themselves feel better.

Re:DDoS and IRC

no, it really is that easy. Its a bit time consuming, and very boring, though.

I used to be a script kiddie, and I gave that bullshit up when I realized how stupid we all were compared to those who were actually creating new things. Now I get paid to contribute to open source software. =)

Anonymous for obvious reasons.

Re:DDoS and IRC

[Kris_J]

With electronic communications mediums the faster the turnaround and the more people that can talk at one time the more annoying the users are. 1-to-1 email is of no interest to such people. ICQ or similar is used more, especially the group things. Things like Yahoo clubs typically degrade to the few remaining people willing to discuss nothing but birthdays and weather. IRC is instant and a group -- it therefore holds the interest of the "M7V G3N3R4710N" -- who get instant gratification from bragging to large groups.

Oh, and once you add pictures, it attracts porn too.

Damn!

[PD]

I always thought Trinity was a guy.

Re:Damn!

[SquadBoy]

So do most guys...

Absolutely DO NOT follow that link.

[Booker]

Or at LEAST note that it does not go to securityfocus.com.

---

ISS

[segmond]

Internet Security Systems not Internet Security Solutions, tho that is what they provide.

Does it come in rpm and deb format??

[Rotten]

Give me a break!
I guess this is kinda repetitive but you have to actually have something called root rights to install not only a library but a server that listens in port something...

Trinity (someone needs a miracle, very funny...) is just a symptom, not a illness.
If someone get rights to install a root shell server controlled by IRC (very creative)then the DDoS part is just an application. Today DDoS, tommorrow....who knows....
So, we have not only 1 but 400 admins out there who actually got Trinity installed in their systems somehow...does any of them have actually a clue of how this happened???!!!

Re:Does it come in rpm and deb format??

[Rotten]

That's true, get root is easy in some systems, but if you care about your system, you should see what's going on in it at least on a weekly basis. I use to exchange some intrussion tests w/other admins once a month, and do internall testing on "I'm bored and there's nothing to do" basis. C'mon!! There's NEW files in your library path!!!! You should notice something like that!!! Anyway, the rpm/deb was just a joke, I did not wanted to show a open/closed philosophic issue here...

I found Waldo

[glowingspleen]

He is hiding behind the refrigerator in #b3eblebr0x.

Now if only I could find his missing hat in the picture...

HERE IS THE ARTICLE. DID YOU READ IT DUMB AZZ???!1

X-Force

X-Force Home
Alerts
Serious Fun
Mail Lists
Security Library
Protoworx
Submissions
Feedback

Advanced Search

Alerts

Back to Alert List

Internet Security Systems Security Alert
September 5, 2000

Trinity v3 Distributed Denial of Service tool

Synopsis:
A new Distributed Denial of Service tool, "Trinity v3", has been
discovered in the wild. There have been reports of up to 400 hosts running
the Trinity agent. In one Internet Relay Chat (IRC) channel on the
Undernet network, there are 50 compromised hosts with Trinity running,
with new hosts appearing every day. It is not known how many different
versions of Trinity are in the wild.

Impact:

Distributed Denial of Service attacks can bring down a network by flooding
target machines with large amounts of traffic. In February of this year,
several of the Internet's biggest websites, including Yahoo, Amazon.com,
Ebay and Buy.com were taken down for extended periods of time by tools
similar to Trinity.

Description:

Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at /usr/lib/idle.so. When idle.so is started,
it connects to an Undernet IRC server on port 6667. There is a list of
servers in the binary:

204.127.145.17
216.24.134.10
208.51.158.10
199.170.91.114
207.173.16.33
207.96.122.250
205.252.46.98
216.225.7.155
205.188.149.3
207.69.200.131
207.114.4.35

When Trinity connects, it sets its nickname to the first 6 characters of
the host name of the affected machine, plus 3 random letters or numbers.
For example, the computer named machine.example.com would connect and set
its nickname to machinabc, where abc is 3 random letters or numbers. If
there is a period in the first 6 characters of the host name, the period
is replaced by an underscore. In our copy of Trinity, it joins the IRC
channel #b3eblebr0x using a special key. Once it's in the channel, the
agent will wait for commands. Commands can be sent to individual Trinity
agents, or sent to the channel and all agents will process the command.

The flooding commands have this format:
, where flood is the type of flood, password is the agent's
password, victim is the victim's IP address, and time is the length of
time to flood the agent, in seconds. The available flood types are the
following:

tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"

Other available commands include:

ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..."
size : Set the packet size for the flood, 0 for random.
port : Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with
" trinity v3 by self (an idle mind is the devil's playground)"

Another binary found on affected systems is /var/spool/uucp/uucico. This
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as /usr/lib/uucp. This is a
simple backdoor program that listens on TCP port 33270 for connections.
When a connection is established, the attacker sends a password to get a
root shell. The password in the binaries that we have analyzed is "!@#".
When the uucico binary is executed it changes its name to "fsflush".

Recommendations:

Scan all systems for port 33270 connections. If any connections are found,
telnet to that port and type "!@#". A system has been compromised if there
is a root shell present after a successful connection to port 33270.

Use "ps" and "lsof" in the following manner to identify a port-shell
installed by Trinity:

# /usr/sbin/lsof -i TCP:33270
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)

# /usr/sbin/lsof -c uucico
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root cwd DIR 8,1 4096 306099 /home/jlarimer
uucico 6862 root rtd DIR 8,1 4096 2 /
uucico 6862 root txt REG 8,1 4312 306589 /home/jlarimer/uucico
uucico 6862 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so
uucico 6862 root mem REG 8,1 4118299 416844 /lib/libc-2.1.2.so
uucico 6862 root 0u CHR 136,2 4 /dev/pts/2
uucico 6862 root 1u CHR 136,2 4 /dev/pts/2
uucico 6862 root 2u CHR 136,2 4 /dev/pts/2
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)

# ps 6862
PID TTY STAT TIME COMMAND
6862 pts/2 S 0:00 fsflush

Since the Trinity v3 agent does not listen on any ports, it may be
difficult to detect unless you are watching for suspicious IRC traffic. If
a machine that has a Trinity agent installed is found, it may have been
completely compromised. The operating system must be completely
reinstalled along with any available security patches.

Public chat systems can pose a legitimate security risk. It is up to each
user's discretion to protect from malicious content distributed via these
networks.

ISS RealSecure already contains functionality that may aid in detection of
Trinity. Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the
RealSecure console to help track IRC activity. These decodes can detect
joins to the IRC channel #b3eblebr0x, as well as behavior associated with
Trinity. In addition, security administrators may choose to enable a
connection event for TCP port 33270 to detect connections to the portshell
that Trinity is installed on.

ISS Internet Scanner can be configured to scan machines on your
network with the TCP Port Scanner turned on. The TCP Port Scanner can be
enabled by selecting it under the Services category in the Policy Editor.
The TCP Port Scanner should be configured to scan port 33270. If machines
are found to be listening on this port, they may have the Trinity
portshell installed.

The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner,
RealSecure, and System Scanner.

Additional Information:

This information has been researched by Jon Larimer of
the Internet Security Systems X-Force.
______

About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBORMoMTRfJiV99eG9AQH4uQP9FJlj+quxhqRM8NdV 5TX7OFlOjoxs+yA3
EvtueaGc7dnI08EUgiUCUERjpYCtI8CnL2Gw4kETkmk6wWeH Eaig4c1QkBMtjoOs
dB4iDKv+NjutECNH3SS71n7D6wkJlNUSk/rJ+WHyHhlwmDH2 B09qNn6wRYUbjFtJ
TLzqCqcKos0=
=kZmQ
-----END PGP SIGNATURE-----

Copyright ©1994-2000 Internet Security Systems, Inc.
All Rights Reserved. Sales Inquiries: sales@iss.net

Re:Triumph -- may be of several kinds

[mafiaboy]

Haaha.

Hahahahaa.

Ah? ha! ha Ha Ha hahA AhA hA hA.

U ALL R FFFFFFUKED!!

->mafiaboy

id and Trinity

[OO7david]

Wasn't id Software working on some secret project called Trinity? Maybe that's why Carmack hasn't been heard from in a while....

Free solution to Trinity

[Netsnipe]

If you don't want to use ISS's security tools to look for the Trinity trojan on your boxen, then follow these instructions from SecurityFocus

MashPotato - Mobile Array of Support Helpers for Potato

Re:Freaky... some info

[TheOnceler]

Here's some info on why and how this phenomenon occurs.

(If you're already irc savvy, then you likely won't get anything out of the article).

http://theorygroup.com/Theory/irc.html

Paying Attention to Our Systems

[VB]

About a week ago, I had received a couple interesting replies from ACs on a post I made on the Microsoft ApacheFP vulnerability. Apparently, my machine is owned. Perhaps...

There's no excuse for ignoring your systems once they're up, and, some basic detection software should be mandated for future distros of any *n*x. Admins should read up on services that want to launch on start-up, as well, and, I'd also love to see a linux box come with a good set of firewall rules in the startup scripts by default.

I've had quite a few servers scanned over the past month for the rpc services, and the machines have acted appropriately. Including responding to the AC who "owns me" and who proceeded to scan 3 of my boxes. He/she may be correct and own my box. Truth is, I haven't heard from him/her since the scans. And, before anyone mentions it: I get CERT alerts; Security Focus is a daily stop.

Might seem off-topic. But, they're getting in through the rpc services. Firewall them. Then we won't hear a bunch of FUD about how insecure Linux is.....


Linux rocks!!! www.dedserius.com

Why not set up dummy directories?

[AFCArchvile]

Why not have /usr/bin and /usr/lib mirrored as dummies, so anyone who adds files to these directories (except root, of course) is documented and the files are moved to an inactive portion of the directory tree? That's what I used to do with Windows 95; I installed it into c:\windows.000 and left a dead installation of win95 in c:\windows. That way, the dumbasses who typed in the literal, predicted path got a bum deal on hacking my system!

Even better, a polymorphic /usr/lib and /usr/bin system! That way, only the local user (and maybe root on a /dev/tty) would be able to change things, as this is the way it should be.

One offtopic thing, but I need to fix a NT4 system: Is there a way to get to the recovery console/command line? I need to replace \WINNT\System32\shlwapi.dll because of a checksum error (eek.)

Re:Why not set up dummy directories?

[demon]

Umm. You must not be too familiar with Linux filesystems - all distros I know of make /usr/lib writable ONLY by root. (As it should be.) If someone were to change the permissions of any /usr/* directory to allow writing by anyone but _specifically_ authorized users, (generally root only) then they're getting what they deserve.

From what I understand, though, this DDoS client is installed and started by exploiting an rpc.statd root hole that existed in RedHat a version or 2 back. Good reason to keep up on known exploits, eh?
_____

Re:Why not set up dummy directories?

[Soko]

Get ERD Commander from SysInternals to fix that NT4 box. Command console doesn't exist on NT4, only Win2k.

SysInternals is a cool company - they seem to like Open Source too. See this page for all the source code freely available. Remember that tree in "A Charlie Brown Christmas"? Maybe NT only needs a little love to grow. Nahh.

Re:Why not set up dummy directories?

[Crewd]

Check out this program called NTFSDOS Pro. It's a bit pricey at $149 US but it does allow you to boot from a floppy and then read and write to NTFS partitions. I remember a couple months ago reading somewhere that someone was developing a freeware version of this, but I am unable to find any info on it at the moment.......

http://www.hotdog.co.uk/software/winternals/NTFS DP.html

Crewd

Re: DDoS and IRC -- The root problem is social.

[Futurepower(tm)]

"There is skill and dedication involved here, even if it's not to the level of those who author the tools. I think by trying to belittle the perpetrators, people are really just trying to make the problem seem much less severe than it actually is, and thereby make themselves feel better."

VERY well said. If all teenagers were smart enough to run DoS attacks, this would be such a different world as to be unrecognizable.

Hackers do us a favor by showing the security holes, the things that need fixing.

The root problem is social: 1) Women have babies that they do not have the psychological and financial resources to care for. 2) Children who aren't cared for become people who have a lot of inner conflict. 3) Some people with inner conflict choose to make their conflict a problem for others. 4) People who haven't been cared for often have children who also aren't cared for, causing the social process to repeat.

Thanks for the

[Hobbits+ain't+trollz]

ya'll know what's true. I be dropping da shizznit..

Re:chatting dangerous

[Soruk]

Chatting is dangerous? Only if you insist on using systems (such as IRC) which give out your IP to everybody and their left toenail.

I've been involved in the MUSH/MUX scene for several years now and have not heard of ANYONE who has had their machine hacked as a result. Not one. Quite simply, these centralised systems (which never get these 'splits' either) treat stuff like your IP address as privileged information and as such only the system admin can see it.

Not necessarily old neglected servers either...

[Eric+Green]

I'll admit it -- I got rooted. I'd set up wuftpd and *thought* I'd restricted it so that I could only get to it from within my vpn. Unfortunately, next time I upgraded my Red Hat to the latest, I forgot to make sure that my firewall rules were still intact. Whoops! So last wuftpd exploit that came about, BLAMMO. [Note: Red Hat 6.2 came out when? The last wuftpd exploit came out when? You do the time line :-). ]

What scares me is the number of remote exploits that have been found over the years in Linux-based utilities, and the difficulty of securing current Linux distributions in the face of all of these potential exploits. I have come to the conclusion that Linux is safe on the Internet only when configured as a single-purpose device with all other software removed. Thus I have an old Cyrix P150 now serving as a firewall doing nothing but IP masquerading and (internal) name resolution (it is not listening on the external network). The only service port open is OpenSSH. I have the thing wired to detect and counter all sorts of attacks, but I'm not going to go into that because one of those programs opens me up to a rather insidious Denial of Service attack that's harder to trace than the typical ping flood or smurf.

Does that make me secure? No. If it wasn't for the need to run CIPE, I would dump Linux on my firewall and run OpenBSD there.

BTW, if anybody wants a root kit, I saved the one the script kiddies left for me :-). Very interesting work. Obviously a derivative of one that I encountered in 1997 or so, but with some interesting twists. I especially liked the sweet little hack of 'ssh' that sits on a high port and gives instant root access to the attacker connecting to that port with the right private key. There's a couple of things I would do, if I were the author of this kit, to make it harder to detect though... I won't go into details here though, for obvious reasons. In any event, this particular kit is easily detectable by anybody who routinely examines the contents of their /var/log directory... and if you type 'locate t0rn' you'll see some files that 'ls' says don't exist... 'nuff said. If you're running Linux and you're connected to the Internet, you'd best go check 'locate' results now :-).

-E

Root kits hide their ports

[Eric+Green]

'Nuff said. Every root kit in existence has hacked versions of 'netstat', 'ps', and 'top' so you can't see the ports open.

There are some tools to detect that 'netstat' and 'ps' are no longer reporting the same stuff as what's being reported in /proc, but these tools do not come with the typical Linux distribution and could easily be hacked themselves if they became common. I won't mention particular tools 'cause I don't want to give the kiddies an idea what they're facing when they go against my system :-}.

-E

Daemons and library paths...

[Eric+Green]

Most root kits don't touch the library path. They merely start up a daemon on some high port (usually a hacked version of 'ssh' that accepts connections only from the correct person) and then replace 'ps', 'ls', 'netstat', and a few other tools of note to make it hard to detect that a new daemon is running. Oh, and toss some code into /etc/rc.d/rc.sysinit that pretends to be starting normal services such as rpc.statd (grin). If you are running Red Hat 6.2, that file should be 13679 bytes long... if it is longer, YOU HAVE BEEN HACKED.

Unfortunately, no current Linux distribution comes with intrusion detection tools installed, running, or even mentioned in the documentation. They should. Especially given Linux's lousy record in this area (yes, problems are fixed quickly, but there are so MANY of them...).

-E

Re:BFD

[jmp100]

Here's how it ends!

Yeah, call everyone stupid...

[RedBear]

instead of fixing the problem.

It's really kind of rank how everyone who considers him/herself a *n?x geek blames everyone's security problems on stupidity. So because I didn't spend a year or two reading Linux manuals and experimenting before hooking up to the Internet, *I* am to be blamed for the fact that 90% of the default *n?x installs are full of gaping holes? That's like a car manufacturer blaming the consumer for not knowing his car leaked gasoline, thus fixing it before he drove it anywhere. "What do you mean you didn't know it was leaking, stupid? It's not our problem it blew up! Everyone knows that cars leak gas and have to be fixed before use! Sheesh. Idiot."

Knowledge should be used responsibly. When you hand out an insecure product to a mass of people that you *know* aren't going to understand how to secure it, that's just inexcusably irresponsible. The more you say, "Those stupid users, it's all their fault!!" the more you blind yourself to the fact that the real problem is at the source, and security problems like this will just continue. Until the people who hand out the software decide to take responsibility and secure their products *before* they get to the user, things will only get worse. Expecting each user to not only become a *n?x expert, but to be one before receiving the software , is simply unfeasible.

Or, to put it another way, it's just plain stupid.

MSFT burned its way into the history books with operating systems so full of holes that today they have to be protected from approximately 47,000 different viruses (at least that's what Norton Antivirus tells me, I take it with a grain of salt). Why the free software community seems to be bent on replacing them as the newest totally insecure product, is beyond me. They seem to be doing a damn good job of it though. If they followed an OpenBSD-like philosophy, we'd have a lot fewer problems.


=============================================

1024

[RedLaggedTeut]

I think you can have a server running on any port > 1024. I guess your passwordless or passwordweak accounts are vulnerable too. Of course it would be obvious that the server is running, but you could rename it to "telnet" or "less".

BS!

[macdaddy]

Name one occasion where you can recall Apple or a Mac user in general saying that "the Unices are security hazards". Come on, name one. You can't, can you? That's because it's a MicroTakeItInTheAss tactic, not an Apple one! Apple has been a good supporter of Linux in the past (although we could use some help right now with the new Cube and dual-G4s..).

Old Hat

[fizbin]

Check out sometime the capabilities of the SubSeven windows trojan. It can phone home on IRC, ICQ, or AOL IM. Since I installed my cable modem 2 weeks ago, SubSeven connection attempts have been coming in at the rate of about 2-3/day, (with floods as high as 5/hour) easily making it the most frequent suspicious probe. (not counting the hundreds of UDP port 137 UDP port 137 traffic that goes by - I don't have time to sort all of that stuff into suspicious vs. "normal".

(off topic)

I've tried to set up a little mini-honeypot to see what these SubSeven probers would try after finding a machine with that port open, but only one has actually tried anything; maybe I need to work out more of the protocol to fake it better. (And I would appreciate any pointers on that, especially on what the "UFU" command means - for some reason, SubSeven's source code isn't available)