======================= Organizational Advisory ======================= Last revised: May 27, 2002 Source: HoneyCERT TO: All HoneyP.edu System Administrators and Managers FROM: HoneyP.edu Incident Response Team (HIRT) RE: a remote control executable was found on a compromised system **** IMMEDIATE ACTION REQUIRED **** This advisory is being issued to all HoneyP.edu System Administrators and Managers with details on patching the exposure. In addition, HIRT strongly recommends similarly configured systems be inspected for possible intrusion. During investigation of a recent compromise of a university computer was discovered an unknown purpose ELF executable. This paper is a summary of the ELF executable functionality. System administrations should check the affected machines and take the measures outlined below to decrease the risk comming from the remote usage of this executable. This summary is based on information detalied in the file analysis.html Using this executable and remote attacker can execute any arbitrary commands on the infected system and can flood another netowrks using: 1) DNS Smurf type attack ( more details on this http://www.cert.org/incident_notes/IN-2000-04.html ) 2) SYN flood attack (more details on this http://www.cert.org/advisories/CA-1996-21.html ) A Network IDS is higly recomended to be installed in the network and all systems should be checked for the backdoor. A rule for Snort (www.snort.org) is provided in answers.html Because this binary is a "rootkit / remote control / flood software", caution should be taken in investigating the compromised system. Unless you are familiar with dealing with rootkits, the likelihood of a false negative (seeing nothing amiss because of the rootkit) is high. For more information on these two alternatives, see: http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq http://staff.washington.edu/dittrich/misc/forensics/