Organizational Security Advisory
Subject: Server Compromised
Brief: Dangerous application detected
Systems Affected: Linux but probably other UNIX systems
Overview
Recently one of our severs was recently compromised. The intruder installed an
application that allowed for covert communications to this server. This
application can be remotely controlled via a covert network protocol. The
application allows for remote access to the server and has abilities to
connect to other servers.
Details of Application
When this application executes it will immediately return you to your command
prompt. In actuality it forks of another process that then forks off a
daemon process that binds to a raw socket. This process appears by the
name of [mingetty]. It uses a raw protocol for communications. The
protocol number is 11 (0xb) and can be viewed with netstat -npl.
The daemon will simply wait until it receives communications on protocol
11.
The intruder can communicate over this covert protocol channel in an
attempt to avoid being blocked by firewalls and to also obfuscate what
is really going on. Using these specially crafted packets the intruder can
control the daemon. The daemon has the ability to execute a fully interactive
shell as root on the machine. It also can execute commands vi /bin/csh.
The daemon has the ability to open and initiate several other networking
sockets including, TCP, UDP, Raw IP, and protocol 255 (another type of raw
protocol).
Detection and Defense
This application is extremely dangerous. It may be possible to see
the process name of [mingetty] or the raw socket connection with
netstat. The netstat output would look similar to what follows:
raw 0 0 0.0.0.0:11 0.0.0.0:* 7 15162/[mingetty]
If you and any IDS servers you can add an entry to check for protocol 11
communications. Here is an example for snort:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Protocol 11 Traffic. Possible Covert Channel communications"; ip_proto: 11; )
Also if your firewalls have the ability to block protocol 11 traffic it would
be wise to do so.
Conclusion
This application was found on a Linux based system but it could be ported
to other flavors of UNIX. This application requires root privileges to install
so your entire system security has been compromised if you find this application.
Please contact the Network Security Team if you discover this application
on one of your systems.
Back to Index