Hi Fred and friends all: ---- "Fred A. Miller" wrote:
http://www.zdnet.com/zdnn/stories/news/0,4586,2624180,00.html?chkpt=zdnnstop
Fred, thanks for this new point, nice shot!! This is the "Trinity v3 DDoS tool Alert". see: [LINKS] Who said that Linux won't have worms/Hoaxes and is not virus immune?? Pity that they barked it so quick!! Chat/IRC is Internet-risky...... unless..... Linux Community react quick!! =`8) OK, YOU DID IT YET, See rc.firewall on [FireWalls] or do some 'trinoo' search at: http://astalavista.box.sk (Or we could become flamed as $MS. ###@#@u@a@r$g$) Good opportunity for Security Guru's. Worth that any [Knowledge Man/GURU] explain with a very high detail the components involved. Or read a full explain from [LINKS]. Read it also for Recommendations. [Points to consider] We could all learn a lot about some very interesting issues raised: 1- How do the Trinity worm obtain access to process space and to the file system [??- Buffer overflow -?? CERTAINLY!!] and: a) Gain root level. b) Write out a file (may well be at /tmp) b) Link it directly with [/usr/lib/idle.so] and enable function so easy c) Write out a /var/spool/uucp/uucico which it's used/fired by the idle loop. (AKA $MS virus for Linux!! File corruption by Virus!!) 2- Some knowledge about [Buffer overflow] penetrations mechanisms at source level. [Small cuts from ISS X-Force Alert]
servers in the binary (Trinity v3):
204.127.145.17 216.24.134.10 208.51.158.10 199.170.91.114 207.173.16.33 207.96.122.250 205.252.46.98 216.225.7.155 205.188.149.3 207.69.200.131 207.114.4.35<<
Another binary found on affected systems is /var/spool/uucp/uucico. This binary is not to be confused with the real "uucico", which resides in /usr/sbin, or other default locations such as /usr/lib/uucp. This is a simple backdoor program that listens on TCP port 33270 for connections. When a connection is established, the attacker sends a password to get a root shell. The password in the binaries that we have analyzed is "!@#". When the uucico binary is executed it changes its name to "fsflush".<< etc, etc...
[LINKS] Trinity v3 originally pointed out by: ISS/X-Force http://xforce.iss.net "Trinity v3 Distributed Denial of Service tool" at: [http://xforce.iss.net/alerts/advise59.php]
David Dittrich<< mailto:dittrich@cac.washington.edu
Writes as "trinoo.analysis.txt" at:
http://www.ussrback.com/docs/distributed/trinoo.analysis.txt
http://packetstorm.securify.com/distributed/trinoo.analysis.txt
that:
[the DoS Project's "trinoo" (a.k.a. "trin00")] binaries where found on systems
on the Internet that are being compromised by remote buffer overrun
exploitation.
[FireWalls]
rc.firewall (108529 bytes)
http://packetstorm.securify.com/UNIX/firewall/ipchains/rc.firewall
New rules to block the Trinity v3 DoS tool and much more including support for
an external script for custom changes.
By: Jean-Sebastien Morisset
mailto:jsmoriss@jsm-mv.dyndns.org
And last but not least:
[Related Refs>>>
(trinoo.tgz) Trinoo daemon source - Implements a distributed denial of service
attack.
Controlled via UDP.
http://www.ussrback.com/docs/distributed/trinoo.tgz
http://packetstorm.securify.com/distributed/trinoo.tgz
(Sources do not include infection/penetration mechanism nor buffer-overflow
exploit)
<<