=======================
Organizational Advisory
=======================

Last revised: May 27, 2002
Source: HoneyCERT

TO: All HoneyP.edu System Administrators and Managers

FROM: HoneyP.edu Incident Response Team (HIRT)

RE: a remote control executable was found on a compromised system


               **** IMMEDIATE ACTION REQUIRED ****
	       
This advisory is being issued to all HoneyP.edu System Administrators
and Managers with details on patching the exposure. In addition, HIRT
strongly recommends similarly configured systems be inspected for
possible intrusion.

During investigation of a  recent compromise of a university computer was discovered
an unknown purpose ELF executable. This paper is a summary of the ELF executable functionality. 
System administrations should check the affected machines and take the
measures outlined below to decrease the risk comming from the remote usage of this executable.
This summary is based on information detalied in the file analysis.html

Using this executable and remote attacker can execute any arbitrary commands on the infected system and 
can flood another netowrks using:

1) DNS Smurf type attack 
  ( more details on this http://www.cert.org/incident_notes/IN-2000-04.html )
2) SYN flood attack 
  (more details on this http://www.cert.org/advisories/CA-1996-21.html )


A Network IDS is higly recomended to be installed in the network and all systems should be checked for the backdoor.
A rule for Snort (www.snort.org) is provided in  answers.html 

Because this binary is a "rootkit / remote control / flood  software", caution should be taken in
investigating the compromised system.  Unless you are familiar with dealing with
rootkits, the likelihood of a false negative (seeing nothing amiss
because of the rootkit) is high.

For more information on these two alternatives, see:

  http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
  http://staff.washington.edu/dittrich/misc/forensics/