The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>"Carko" Distributed Denial-of-Service Tool</h2> Date: Tuesday, April 24, 2001<p> <h1>Overview</h1> The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts. Preliminary analysis indicates that Carko appears to be similar to stacheldraht+antigl+yps. Based on reports to the CERT/CC, intruders are using the <a href="http://www.kb.cert.org/vuls/id/648304">snmpXdmid</a> vulnerability described in the following document to compromise hosts and then install Carko.<p> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/648304">VU#648304</a> - Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow</dd> </dl> <p>On March 30, 2001 the CERT/CC published <a href="/advisories/CA-2001-05.html">CERT Advisory CA-2001-05</a> describing this vulnerability. <h1>Impact</h1> <p> Compromised hosts are at high risk for being used to attack other Internet sites, having system binaries and configuration files altered, and exposing sensitive information to external parties. Additionally, DDoS tools are capable of diminishing the availability of services through packet flooding attacks and other resource consumption based attacks. <p> <h1>Solution</h1> <p> The CERT/CC encourages Internet users and sites to ensure systems are up to date with current vendor security patches or workarounds for known security vulnerabilities. For more information, please see the related CERT/CC documents: <p> <ul> <li><p>CERT Advisory CA-2001-05<br/> Exploitation of snmpXdmid<br/> <a href="/advisories/CA-2001-05.html"> http://www.cert.org/advisories/CA-2001-05.html</a> </p> <li><p>Vulnerability Note VU#648304<br/> Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow<br/> <a href="http://www.kb.cert.org/vuls/id/648304"> http://www.kb.cert.org/vuls/id/648304</a> </p> </li></li></ul> <p> If you believe your host has been compromised, please follow the steps outlined in </p> <p> <dd><a href="http://www.cert.org/tech_tips/root_compromise.html"> Steps for Recovering From a Root Compromise</a> </dd></p> <b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2001-04%20Feedback">Ian Finlay<br/> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2001 Carnegie Mellon University.</p> </a></p></p></p></p></p></p></p> |