'cyclone' running on my system

From: Justin Dieters <enderak@mtaonline.net>
Date: Tue Jan 18 2005 - 01:27:30 AKST

I woke up this morning to find my network connection very slow. My
router showed that my webserver was sending network traffic like crazy,
so I jumped on there and found a process named 'cyclone' using virtually
100% CPU. I found the actual executable under /tmp, along with the
source file (nice of them to leave that there, though it doesn't appear
to be GPL'd ;) ). It appears to be some sort of DoS program - searching
on the web shows " Cyclone floods a victim host with UDP packets on a
user specified port."

I'm not sure how it got on my system, I'm guessing through an ssh
vulenerability - the server is still running an older version of RedHat
and OpenSSH 3.4. I'm going to upgrade to 3.9 and change passwords and
hopefully that will close up any security bugs there.

Basically, this is just a warning to others to make sure their ssh is
up-to-date. Also a request for things to look for to make sure this
doesn't happen again - is there more I should look at than just
upgrading ssh and changing passwords?

Justin

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jan 18 09:35:36 2005

This archive was generated by hypermail 2.1.8 : Tue Jan 18 2005 - 09:35:37 AKST