Organizational Security Advisory


Subject: Server Compromised
Brief: Dangerous application detected
Systems Affected: Linux but probably other UNIX systems

Overview

Recently one of our severs was recently compromised. The intruder installed an application that allowed for covert communications to this server. This application can be remotely controlled via a covert network protocol. The application allows for remote access to the server and has abilities to connect to other servers.

Details of Application

When this application executes it will immediately return you to your command prompt. In actuality it forks of another process that then forks off a daemon process that binds to a raw socket. This process appears by the name of [mingetty]. It uses a raw protocol for communications. The protocol number is 11 (0xb) and can be viewed with netstat -npl. The daemon will simply wait until it receives communications on protocol 11.

The intruder can communicate over this covert protocol channel in an attempt to avoid being blocked by firewalls and to also obfuscate what is really going on. Using these specially crafted packets the intruder can control the daemon. The daemon has the ability to execute a fully interactive shell as root on the machine. It also can execute commands vi /bin/csh. The daemon has the ability to open and initiate several other networking sockets including, TCP, UDP, Raw IP, and protocol 255 (another type of raw protocol).

Detection and Defense

This application is extremely dangerous. It may be possible to see the process name of [mingetty] or the raw socket connection with netstat. The netstat output would look similar to what follows:

raw        0      0 0.0.0.0:11              0.0.0.0:*               7           15162/[mingetty]

If you and any IDS servers you can add an entry to check for protocol 11 communications. Here is an example for snort:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Protocol 11 Traffic. Possible Covert Channel communications"; ip_proto: 11; )

Also if your firewalls have the ability to block protocol 11 traffic it would be wise to do so.

Conclusion

This application was found on a Linux based system but it could be ported to other flavors of UNIX. This application requires root privileges to install so your entire system security has been compromised if you find this application. Please contact the Network Security Team if you discover this application on one of your systems.


Back to Index