The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>"Carko" Distributed Denial-of-Service Tool</h2>

Date: Tuesday, April 24, 2001<p>
<h1>Overview</h1>

The CERT/CC has received reports that a distributed denial-of-service
(DDoS) tool named Carko is being installed on compromised
hosts. Preliminary analysis indicates that Carko appears to be similar
to stacheldraht+antigl+yps. Based on reports to the CERT/CC, intruders
are using the <a href="http://www.kb.cert.org/vuls/id/648304">snmpXdmid</a>
vulnerability described in the following document to compromise hosts
and then install Carko.<p>
<dl>
<dd><a href="http://www.kb.cert.org/vuls/id/648304">VU#648304</a> - Sun
Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer
overflow</dd>
</dl>
<p>On March 30, 2001 the CERT/CC published <a href="/advisories/CA-2001-05.html">CERT Advisory CA-2001-05</a> describing
this vulnerability. 

<h1>Impact</h1>
<p>
Compromised hosts are at high risk for being used to attack other
Internet sites, having system binaries and configuration files
altered, and exposing sensitive information to external parties.
Additionally, DDoS tools are capable
of diminishing the availability of services through packet flooding
attacks and other resource consumption based attacks.
<p>
<h1>Solution</h1>
<p>
The CERT/CC encourages Internet users and sites to ensure systems are
up to date with current vendor security patches or workarounds for
known security vulnerabilities. For more information, please see the
related CERT/CC documents:
<p>
<ul>
<li><p>CERT Advisory CA-2001-05<br/>
    Exploitation of snmpXdmid<br/>
<a href="/advisories/CA-2001-05.html">
    http://www.cert.org/advisories/CA-2001-05.html</a>
</p>
<li><p>Vulnerability Note VU#648304<br/>
    Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow<br/>
<a href="http://www.kb.cert.org/vuls/id/648304">
    http://www.kb.cert.org/vuls/id/648304</a>
</p>
</li></li></ul>
<p>
If you believe your host has been compromised, please follow the
steps outlined in
</p>
<p>
<dd><a href="http://www.cert.org/tech_tips/root_compromise.html">
    Steps for Recovering From a Root Compromise</a>
</dd></p>
<b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2001-04%20Feedback">Ian Finlay<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2001 Carnegie Mellon University.</p>
</a></p></p></p></p></p></p></p>