"Carko" Distributed Denial-of-Service Tool
Date: Tuesday, April 24, 2001
Overview
The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts. Preliminary analysis indicates that Carko appears to be similar to stacheldraht+antigl+yps. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability described in the following document to compromise hosts and then install Carko.
- VU#648304 - Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow
On March 30, 2001 the CERT/CC published CERT Advisory CA-2001-05 describing this vulnerability.
Impact
Compromised hosts are at high risk for being used to attack other Internet sites, having system binaries and configuration files altered, and exposing sensitive information to external parties. Additionally, DDoS tools are capable of diminishing the availability of services through packet flooding attacks and other resource consumption based attacks.
Solution
The CERT/CC encourages Internet users and sites to ensure systems are up to date with current vendor security patches or workarounds for known security vulnerabilities. For more information, please see the related CERT/CC documents:
CERT Advisory CA-2001-05
Exploitation of snmpXdmid
http://www.cert.org/advisories/CA-2001-05.htmlVulnerability Note VU#648304
Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow
http://www.kb.cert.org/vuls/id/648304
If you believe your host has been compromised, please follow the steps outlined in
Copyright 2001 Carnegie Mellon University.