Child pages
  • CERT Incident Note IN-2001-04: "Carko" Distributed Denial-of-Service Tool

Pages in the Historical section of this site are provided for historical purposes, they are no longer maintained. Links may not work.

Skip to end of metadata
Go to start of metadata
The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

"Carko" Distributed Denial-of-Service Tool

Date: Tuesday, April 24, 2001


The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts. Preliminary analysis indicates that Carko appears to be similar to stacheldraht+antigl+yps. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability described in the following document to compromise hosts and then install Carko.

VU#648304 - Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow

On March 30, 2001 the CERT/CC published CERT Advisory CA-2001-05 describing this vulnerability.


Compromised hosts are at high risk for being used to attack other Internet sites, having system binaries and configuration files altered, and exposing sensitive information to external parties. Additionally, DDoS tools are capable of diminishing the availability of services through packet flooding attacks and other resource consumption based attacks.


The CERT/CC encourages Internet users and sites to ensure systems are up to date with current vendor security patches or workarounds for known security vulnerabilities. For more information, please see the related CERT/CC documents:

If you believe your host has been compromised, please follow the steps outlined in

Steps for Recovering From a Root Compromise

Author: Ian Finlay

Copyright 2001 Carnegie Mellon University.

  • No labels