INCIDENT SUMMARY
An intrusion into one of our honeyp.edu servers was recently discovered.
After performing a full forensics analysis on the server, we have determined
that a Distributed Denial of Service, or DDoS, executable has been planted
on the server. We have isolated the binary, and we have studied it in details.
We now know its full extent and functionalities. This executable is a DDoS
daemon which enables our server to be used as a DDoS zombie agent. This DDoS
daemon is capable of a wide range of functions, including executing remote
shell command, opening a remote password protected login shell, and perhaps
the most destructive part, carrying out various DDoS attacks such as TCP
SYN flood and dns-query attacks. For added secrecy, the daemon and its master
even employs a data encoding process to protect the communications between
them.