GEN:SID | 1:1856 |
Message | DDOS Stacheldraht handler->agent ficken |
Summary | Varient of Stacheldraht DDOS tool |
Impact | Likely you have a compromised machine and your machine is being used as a ddos zombie |
Detailed Information | This signature is based on traffic caught in the wild. Stracheldraht is a Distributed denial of service tool normally found on Sun Solaris machines. It is made up of a Client, handler and agent. The clients connects to the handler. Handlers can connect with up to 1000 agents. Communication between the client and the handler is conducted using tcp and the communication between the handler and the agent can be either tcp or icmp_echoreply. This signature detects the a message sent from the handler to the agent. This message is used to respond to a agent message "skillz". The handler will reply with the string "ficken". This traffic differs from the traffic described on http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the packets have an icmp id of 6667 rather than 667 as noted in the analysis.
|
Affected Systems | |
Attack Scenarios | The agent can be used to mount a distributed denial of service attack. It also means that a machine is compromised. |
Ease of Attack | |
Corrective Action | Take the machine off line asap and rebuild with a completely new install. |
Additional References | |
Rule References | url: staff.washington.edu/dittrich/misc/stacheldraht.analysis
|