| VID |
24016 |
| Severity |
40 |
| Port |
|
| Protocol |
ICMP |
| Class |
BackDoor |
| Detailed Description |
The remote host appears to be running Stacheldraht, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). Denial of service is a technique to deny access to a resource by overloading it, such as packet flooding in the network context.
"Stacheldraht" belongs in the family of tools discussed earlier, such as Trinoo, TFN and TFN2K. Like in those tools, stacheldraht is made up of master (handler) and daemon, or "bcast" (agent) programs. Stacheldraht (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents. Along with trinoo's handler/agent features, stacheldraht also shares TFN's features of distributed network denial of service by way of ICMP flood, SYN flood, UDP flood, and "Smurf" style attacks. Unlike the original TFN and TFN2K, the analyzed stacheldraht code does not contain the "on demand" root shell bound to a TCP port. It is very likely that this host has been compromised.
For more information on Stacheldraht, see:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
* References:
http://www.iss.net/security_center/static/5279.php
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis |
| Recommendation |
Restore your system from backups, contact CERT and your local authorities |
| Related URL |
CVE-2000-0138 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
