Slashdot Mirror
Crackers Preparing Massive DDoS?
Tairan writes: "Crackers are using two exploits to ready another distributed Denial of Service attack. MSNBC.com is reporting there are at least 560 computers infected. CERT claims it 'poses a significant threat to Internet sites and the Internet infrastructure.'"
After all, what good is the internet going to be after this?
Tweet, tweet.
There really isn't much to say about this article execpt for good old rampant Slashdot speculation.
So some people found some trojans that could be used for DDoS attacks on a few hundered machines. Does this mean a DDoS is "brewing" or ready to be launched? Hardly.
In order to know if something was coming, we would actually have to talk to whomever put those trojans on the machines to see what their motivation is, and when they plan to use them. Unfortunatly, this will more than likely never happen.
For all we know, this could just be some script kiddies person cache of trojans to take over IRC channels, not DDoS a large site such as Yahoo! or Ebay. Heck, maybe is the BOFH Users Group out for revenge on companies that have had enought of their antics and fired them. Who knows?
So, is a new, massive DDoS brewing? Unless one of the people who planted these trojans tells us, or a DDoS actually happens, we'll never know.
I have to rant a little bit, here - Redhat, is it SO HARD to make the default install be BASICALLY SECURE? Don't turn RPC on by default, for God's sake! The first thing I have to remember to do is to remove the really obvious security holes as soon as I install!
One nice thing about this DDOS activity - now, the script kiddies want my network bandwith. Used to be they didn't know what to do when they got in. The same system was compromised three years ago while I was on vacation, and the script kiddies involved did an "rm -rf /" as root. Ouch. This time was pretty easy to clean up from, by comparison.
But, whomever pointed out that the connections of the hosts are important - absolutely. I'm sure my puny 384kbps upstream didn't cause whoever the victim was any real trouble.
Tips for people who may be having the same experience:
First, I was tipped off by the very large numbers of collisions on my hub, and the massive traffic. I'd installed a bunch of new hardware and software, and, at first, thought something was broken. Additionally, I was running mrtg against my router, and the traffic saturation broke SNMP connections, so cron kept complaining.
Once I figured out the host the traffic was coming from, I started looking around. First of all, a command representing itself as "lpsched" was running with a very low PID (like 120) and had a child process representing itself as in.telne (I believe these were actually the same program). When I killed them, the traffic ended. After some research, I realized that the attackers had installed a trojan in /usr/sbin/init (which was then changing its program name as represented in ps after execution). /usr/sbin/init was being executed by /etc/rc.d/rc.sysinit, at the end of the file (placed here very nicely with a check to make sure /etc/rc.d/rc.sysinit existed).
Interestingly, they did NOT install a rootkit - I used SHA1 hashing and some custom scripts I wrote to compare the compromised host with a clean install of RedHat 6.2. All they did was modify /etc/rc.d/rc.sysinit and install the Trojan (they may also have edited log files at the time of intrusion). rpc.statd did spew a "I'm executing this obvious buffer overflow attack" in /var/log/messages; "grep rcp.statd /var/log/*" should give you some idea if you have a problem. In the rpc buffer overlow, they echoed to /tmp/m:
and then, executed "/usr/sbin/inetd
Good luck, out there...
I agree with him, for a simple reason.
I started with a commodore, using the command-prompt, and moved up to a PC with a prompt, and that's how I learned computers, in elementary school. Probably not uncommon for the people on this site.
Now, my little brother never used anything other than 95. Loves computers, mainly games, but couldn't use a command-prompt to save his life, and can't even setup Master/Salves correctly on an IDE chain. Called me to try and help over the phone...
He's a smart kid, too.
He's a Senior and high-school, and can get into any school in the nation, from his test-scores and grades.So why can't he figure out why the new game he installed whacked windows? Why can't he install a new HD? Because all he's ever used is point-click. He's never actually learned how things work.
One of my proffessors once made a statement about "experts", one I've also heard from a few now-retired computing columnists.
Essentially: A real expert does not know how to do 100 neat things (tweaks) with a piece of software (or other product). Instead, they understand fundamentally how it works. From that, they know how to do the same 100 "neat things", but they also know why those "neat things" do what they do.
Sorry, enough ranting on "kids these days...."
For those of you who don't believe in DDoS attacks or just don't want to believe in them, please check out http://wzc.dhs.org/home/news/index.html and the news post dated 6th September 2000. This is a linux server which I run... it has been DDoSed many times this summer, each time, taking out the ISP on which it is hosted. I managed to log all the networks involved using tcpdump and other such tools. The reason for it being dossed? It runs an eggdrop on IRC hence the hackers DDoS the server to make the bot ping timeout, and take over the channel.... how sad.... So ppl, these attacks are for real.... we better suss them out... this is exactly what I did.... With help from one of my mates, I managed to determine the protocol used by the packetting agents (the agents which actually cause the garbage traffic) and wrote a little C program which makes them packet; if you care to visit wzc.dhs.org's news section, you will see that the server was setup to perform a scan of all the networks which I had logged (the scan was done by sending control packets to each potentially infected host on each network telling it to packet my server for exactly 1 second... if the host packetted my server, I knew it was hacked and running a packetting agent). The list has now been submitted to cyberabuse.org and CERT have also been notified about them (which is, I assume how this posting got onto here in the first place). I don't claim to be "Mr Expert" of DDoS attacks, but I did the scan due to my general anger against the hackers which were orchastrating these attacks against my server during this summer. If anyone would like to know more about how the protocol works, or would even like a copy of the C program which causes these packetting agents to packet, then contact me via the email on wzc.dhs.org's news page..... maybe I should post it publically so everyone can do their own DDoS attacks, and then... the admin of the compromised hosts might fix their hacked systems. Thank you for listening. ----- Mark Hedges (admin of http://wzc.dhs.org)
OH NO! See, the evil cyber-terrorists have attacked and the TLAs must get their funding to stop it.
Suddenly....*POOF* the attacks _END_. No "bad guys {tm}" were caught, but the problem goes away.
Ooops, here come the FUD and scare tactics again! Time to eliminate some more civil rights to protect us from "cyber-terrorists" and make sure those TLAs charged with fighting this dragon are properly funded!
Maybe this time the feds will attack something on the net that really is meaningful instead of ebay and yahoo. Otherwise, I just ain't buying it.
I think the solution to script-kiddy wankerism is a revival of the demo scene. Everyone uses GUIs now, so it's harder to program to the metal to make cool demos that cut the edge of technology. That's what these dumb kids should be doing, actually improving their skills and learning something, rather than being destructive and 31337. I'm gonna wager than many Slashdotters know at least a couple kids that are probably warez dudes or 31337-haxors at night. Be a force for good in their lives; show them how they can create with a computer as well as cause problems.
I've been scanning the bait logs on my machine (I run a simple tcp listener on port 111, 23 and others to report scans), and over the last four weeks the rate of scans against the machine has gone up orders of magnitude.
...
Probes to port 111 come about twice a day, from a large range of IPs. These boxes could all be compromised, and being used as part of a worm attack, but I dont have time to track down the postmaster of each of the ip addresses and mail him/her.
Does anyone know if there's a service run by CERT or anyone to report possibly compromised hosts that turn up in our logs too?
If not, it would be pretty useful to have