On Monday (which I didn't report), I went to Atlantic Internet [1] to do some consulting. One of the salespeople there is involved in some projects and I was brought in to help.
While there, the box being used, a RedHat 6.0 distribution, appeared to have been compromised. No like my roommate's box [2] but still, syslogd wasn't running like it should, and there appeared to be an abnormal amount of httpd's running, but it's a webserver so I didn't think anything of it.
I shut off ftpd and added entries to /etc/hosts.allow and /etc/hosts.deny until it could be patched up or upgraded.
Fast forward to today (way early or way late, take your pick) and I'm reading Slashdot [3] when I come across the article [4] about some recent DoS attacks against some very large sites. In the discussion, I follow one of the links to an analysis of stacheldraht, [5] a program that is suspected to have been used in the DoS. And the code seems to have been written for Solaris 2.x and Linux, specifically the RedHat 6.0 distribution.
Like TFN, C macros ("config.h") define values used for expressing commands, replacement argument vectors ("HIDEME" and "HIDEKIDS") to conceal program names, etc.:
>
```
#ifndef _CONFIG_H
/* user defined values for the teletubby flood network */
#define HIDEME "(kswapd)"
#define HIDEKIDS "httpd"
#define CHILDS 10
```
The box in question, like I stated, is a RedHat 6.0. What I haven't mentioned is that it's sitting behind a T3. And there were an abnormally large number of httpd's running.
I have a bad feeling about this.
[1] http://www.aibusiness.net/
[4] http://slashdot.org/article.pl?sid=00/02/08/0344217&mode=flat
[5] http://staff.washington.edu/dittrich/misc/stacheldraht.analysis