trinoo
- Attacks:
- Communication:
- 27665/tcp from attacker to "master(s)"
- 27444/udp from "master(s)" to "daemons"
command l44adsl [arguments]
- 31335/udp from "daemons" to "master(s)"
- Encryption:
- Master encrypts daemon list using Blowfish
- Master execution protected by crypt() encrypted password
- Daemon commands protected by crypt() encrypted passwords
- Priviledges:
- Root not required (uses unpriviledged ports)
- Forensics:
- Master IP addresses visible (+)
- Enough strings to recognize daemon/master easily (+)
- Listening TCP/UDP ports can be seen with "lsof" (+)
- Attacker session not encrypted (+)
- "Root Kits" hide processes/files/directories (-)
- Ethernet switches make monitoring TCP/UDP traffic
difficult (-)
- [Analysis]
[Next]
|
[Prev]
|
[Top]
Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Mon Nov 1 22:12:00 PST 1999