GEN:SID 1:1855
Message DDOS Stacheldraht agent->handler skillz
Summary Varient of Stacheldraht DDOS tool
Impact Likely you have a compromised machine and your machine is being used as a
ddos zombie
Detailed Information This signature is based on traffic caught in the wild. Stracheldraht is a
Distributed denial of service tool normally found on Sun Solaris machines.
It is made up of a Client, handler and agent. The clients connects to the
handler. Handlers can connect with up to 1000 agents. Communication between
the client and the handler is conducted using tcp and the communication
between the handler and the agent can be either tcp or icmp_echoreply. This
signature detects the a message sent from the agent to the handler. This
message is used to tell the handler that the machine is still alive and able
to take requests. The handler will then reply with the string "ficken". This
traffic differs from the traffic described on
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the
packets have an icmp id of 6666 rather than 666 as noted in the analysis.
Affected Systems  
Attack Scenarios The agent can be used to mount a distributed denial of service attack. It
also means that a machine is compromised.
Ease of Attack  
Corrective Action Take the machine off line asap and rebuild with a completely new install.
Additional References  
Rule References url: staff.washington.edu/dittrich/misc/stacheldraht.analysis