* * * * *
                                        
                       “I have a bad feeling about this.”
                                        
On Monday (which I didn't report), I went to Atlantic Internet [1] to do some
consulting. One of the salespeople there is involved in some projects and I
was brought in to help.

While there, the box being used, a RedHat 6.0 distribution, appeared to have
been compromised. No like my roommate's box [2] but still, syslogd wasn't
running like it should, and there appeared to be an abnormal amount of
httpd's running, but it's a webserver so I didn't think anything of it.

I shut off ftpd and added entries to /etc/hosts.allow and /etc/hosts.deny
until it could be patched up or upgraded.

Fast forward to today (way early or way late, take your pick) and I'm reading
Slashdot [3] when I come across the article [4] about some recent DoS attacks
against some very large sites. In the discussion, I follow one of the links
to an analysis of stacheldraht, [5] a program that is suspected to have been
used in the DoS. And the code seems to have been written for Solaris 2.x and
Linux, specifically the RedHat 6.0 distribution.

> Like TFN, C macros ("config.h") define values used for expressing commands,
> replacement argument vectors ("HIDEME" and "HIDEKIDS") to conceal program
> names, etc.:
> 
> -----[ C ]-----
> #ifndef _CONFIG_H
> 
> /* user defined values for the teletubby flood network */
> 
> #define HIDEME "(kswapd)"
> #define HIDEKIDS "httpd"
> #define CHILDS 10
> -----[ END OF LINE ]-----
> 

The box in question, like I stated, is a RedHat 6.0. What I haven't mentioned
is that it's sitting behind a T3. And there were an abnormally large number
of httpd's running.

I have a bad feeling about this.

[1] http://www.aibusiness.net/
[2] gopher://gopher.conman.org/0Phlog:2000/01/30.1
[3] http://slashdot.org/
[4] http://slashdot.org/article.pl?sid=00/02/08/0344217&mode=flat
[5] http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

Email author at sean@conman.org

.