INCIDENT SUMMARY

An intrusion into one of our honeyp.edu servers was recently discovered. After performing a full forensics analysis on the server, we have determined that a Distributed Denial of Service, or DDoS, executable has been planted on the server. We have isolated the binary, and we have studied it in details. We now know its full extent and functionalities. This executable is a DDoS daemon which enables our server to be used as a DDoS zombie agent. This DDoS daemon is capable of a wide range of functions, including executing remote shell command, opening a remote password protected login shell, and perhaps the most destructive part, carrying out various DDoS attacks such as TCP SYN flood and dns-query attacks. For added secrecy, the daemon and its master even employs a data encoding process to protect the communications between them.