Wednesday, February 09, 2000
“I have a bad feeling about this.”
On Monday (which I didn't report), I went to Atlantic Internet to do some consulting. One of the salespeople there is involved in some projects and I was brought in to help.
While there, the box being used, a RedHat 6.0 distribution, appeared to have
been compromised. No like
my roommate's box but still,
syslogd
wasn't running like it should, and there appeared to be an
abnormal amount of httpd
's running, but it's a webserver so I
didn't think anything of it.
I shut off ftpd
and added entries to /etc/hosts.allow
and
/etc/hosts.deny
until it could be patched up or upgraded.
Fast forward to today (way early or way late, take your pick) and I'm reading Slashdot when I come across the article about some recent DoS attacks against some very large sites. In the discussion, I follow one of the links to an analysis of stacheldraht, a program that is suspected to have been used in the DoS. And the code seems to have been written for Solaris 2.x and Linux, specifically the RedHat 6.0 distribution.
Like TFN, C macros ("config.h") define values used for expressing commands, replacement argument vectors ("HIDEME" and "HIDEKIDS") to conceal program names, etc.:
#ifndef _CONFIG_H /* user defined values for the teletubby flood network */ #define HIDEME "(kswapd)" #define HIDEKIDS "httpd" #define CHILDS 10
The box in question, like I stated, is a RedHat 6.0. What I haven't
mentioned is that it's sitting behind a T3. And there were an abnormally
large number of httpd
's running.
I have a bad feeling about this.