At the IT department of "Honeyp.edu" we have recently discovered the presence of a new kind of trojan that affects Linux servers. The trojan allows a backdoor entry to the systems where it runs and allow extra capabilities to be exploited by a remote user. See the trojan summary here.
Trojan capabilities
Characteristic features of this trojan are;
If you find an infected server it is highly advisable that you apply the standard procedures for a compromised system.
The best way to tell if the trojan is installed is to check if any process is listening in a "raw" socket for packets with the "nvp" protocol. To do that execute the following comand
[usr@server directory] netstat -aw
if you get an output similar to this one
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State raw 0 0 0.0.0.0:nvp 0.0.0.0:* 7
then it's almost sure that you are trojaned. The line "raw" with the value "0.0.0.0:11" shows that the trojan is up and running and waiting for commands from a remote user through the "nvp" protocol (look at /etc/protocols).
To identify where the trojan resides, an "lsof" with the PID of the suspect process can be used. For example;
[root@whiteozzie reverse-ch]# ps xa | grep [\[]mingetty\] 1200 ? S 0:00 [mingetty] [root@whiteozzie reverse-ch]# lsof -p "1200"| grep "txt" the-binar 1200 root txt REG 3,1 205108 313077 /home/tstusr/reverse/the-binary [root@whiteozzie reverse-ch]#
This clearly shows that in this case the trojan is the file "the-binary" which resides in the "/home/tstusr/reverse" directory.
Once you know where the trojan executable is, you can stop it with a "kill -SIGKILL".
After that, proceed immediately with the standard procedures for a compromised system.