Compromised System RH7.3-ICMP-STP-DoS

From: Ron Gedye <rgedye(at)hotmail.com>
Date: Fri Dec 20 2002 - 16:38:20 EST

(the message below was originally sent to bugtraq and it was recommended
that I forward to incidents. Also originally copied was redhat, openssh.org, cisco, and lucent)

Please pardon and redirect me if this is not particularly the best forum for these questions...

A colleague informed me of strange behavior on one of his UNIX (RH7.3) systems.

Upon investigation I duplicated the behavior and observed an anomaly in which the compromised system appeared to be demonstrating the ability to communicate with other specific hosts using improper/encrypted data over imcp response packets.

I am able to reset a router with a simple ping response from the host in question once a telnet session is established.

I have observed an extremely high volume of traffic from this host, triggered at a nearly specific time three days in a row, growing each day finally to full DoS. (From stats and external observations only, I have as of yet, been unable to record this traffic as the machine is now in quarenteen)

The compromise is directly tied to an IP address; attempts to re-ip the machine result in ifconfig displaying the original configuration and yet allowing communication to both old & new ip. Under these conditions, a specific 2nd hop destination never recieves an icmp echo request or other traffic.

Although preliminary, it appears the compromise can be (temporarily?) mitigated by rebooting the system with the new IP configuration, and returns when the original IP config is booted to. This is possibly related to specific routes assigned with the original config that are not present with the new config. The original config places a specific router (mentioned above) as the next hop to a number of networks; only one gw IP of which appears to not recieve the echo requests or any other network communication.
(thought I saw an ICMP redirect packet from router one, but haven't seen it
since)

This host also, upon quick initial investigation, appears to be acting as a root for Spanning Tree Protocol on a high port.

Two questions for the list:
1. Is there a preferred format that I should use when preparing my security incident report?
I want to provide as much detail surrounding this issue and the environment in which it occured to the list in a straight forward manner.

Although this appears to be an SSH related varient (only http and SSH open externally),there appears to be behavior that I have not heard of; although the recent Cisco SSH packet
vunerability as well as the EIGRP postings give me more food for thought.

2. Are the better (more appropriate), or other lists to which one would recommend that I pose these and other questions and observations to before completing the formal report? I would like to gain insight from others and get recommendations for toolsets and procedures to track down this specific compromise.

Thank you for your time.
Personal responses are welcome, as the are probably more appropriate at this time.

---

The new MSN 8: smart spam protection and 3 months FREE*. http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Dec 20 17:22:49 2002