The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, February 09, 2000

“I have a bad feeling about this.”

On Monday (which I didn't report), I went to Atlantic Internet to do some consulting. One of the salespeople there is involved in some projects and I was brought in to help.

While there, the box being used, a RedHat 6.0 distribution, appeared to have been compromised. No like my roommate's box but still, syslogd wasn't running like it should, and there appeared to be an abnormal amount of httpd's running, but it's a webserver so I didn't think anything of it.

I shut off ftpd and added entries to /etc/hosts.allow and /etc/hosts.deny until it could be patched up or upgraded.

Fast forward to today (way early or way late, take your pick) and I'm reading Slashdot when I come across the article about some recent DoS attacks against some very large sites. In the discussion, I follow one of the links to an analysis of stacheldraht, a program that is suspected to have been used in the DoS. And the code seems to have been written for Solaris 2.x and Linux, specifically the RedHat 6.0 distribution.

Like TFN, C macros ("config.h") define values used for expressing commands, replacement argument vectors ("HIDEME" and "HIDEKIDS") to conceal program names, etc.:

#ifndef _CONFIG_H

/* user defined values for the teletubby flood network */

#define HIDEME "(kswapd)"
#define HIDEKIDS "httpd"
#define CHILDS 10

The box in question, like I stated, is a RedHat 6.0. What I haven't mentioned is that it's sitting behind a T3. And there were an abnormally large number of httpd's running.

I have a bad feeling about this.

Obligatory Picture

[It's the most wonderful time of the year!]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: http://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

http://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2021 by Sean Conner. All Rights Reserved.