IRC Botnet, Solaris in.named Vulnerability, Information about SuckIT Rootkit
IRC Botnet Found and Shutdown
We received a report this morning from the Telenor Security Operations Center(SOC) of an IRC botnet. The network contained over 10000 clients. The server has now been shutdown. If you have network traffic logs, you may want to check for connections from your hosts/network to the IRC server -- it was listening on IP 203.81.40.172 tcp port 10009.
Solaris in.named Vulnerability
The Solaris in.named daemon process may cease proper functioning if it recieves an invalid DNS dynamic update. The Sun bulletin with information about the vulnerability and links to the patches can be found at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57614-1
Information about SuckIT Rootkit
We receved a query today from Dan about a file he found on a Solaris system. George Bakos, one of the ISC Handlers, determined it to be a copy of the "suckit" rootkit. His reply included:
'On first inspection, it appears to be the linux kernel rootkit "suckit". Suckit is loaded directly into kernel memory, hiding its existence and allowing an attacker to remain on the box undetected while she maintains root-level control. A number of high-performance computing facilities have seen a lot of this activity on Linux and Sun systems. Stanford has a writeup at:
http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
I would pay particular attention to other hosts that this machine may have been able to reach. Do you have packet-level logs of outgoing traffic from it?'
We received a report this morning from the Telenor Security Operations Center(SOC) of an IRC botnet. The network contained over 10000 clients. The server has now been shutdown. If you have network traffic logs, you may want to check for connections from your hosts/network to the IRC server -- it was listening on IP 203.81.40.172 tcp port 10009.
Solaris in.named Vulnerability
The Solaris in.named daemon process may cease proper functioning if it recieves an invalid DNS dynamic update. The Sun bulletin with information about the vulnerability and links to the patches can be found at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57614-1
Information about SuckIT Rootkit
We receved a query today from Dan about a file he found on a Solaris system. George Bakos, one of the ISC Handlers, determined it to be a copy of the "suckit" rootkit. His reply included:
'On first inspection, it appears to be the linux kernel rootkit "suckit". Suckit is loaded directly into kernel memory, hiding its existence and allowing an attacker to remain on the box undetected while she maintains root-level control. A number of high-performance computing facilities have seen a lot of this activity on Linux and Sun systems. Stanford has a writeup at:
http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
I would pay particular attention to other hosts that this machine may have been able to reach. Do you have packet-level logs of outgoing traffic from it?'
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
3 months ago
isc.sans.edu
Dec 26th 2022
3 months ago