This backdoor will run on any Intel (x86) machines running either Linux or an operating system with Linux binary support, such as FreeBSD.
This backdoor allows an intruder to run commands on an affected host. The backdoor runs as a server process which the intruder can communicate with, using specially formatted IP packets. While an intruder can use this tool to compromise other hosts, the program itself has no functionality that would allow it to autonomously compromise other hosts.
In addition, the program has the ability to direct a network flood against other hosts, as directed by the intruder.
The backdoor can be actively detected by monitoring your loopback interface for packets of IP protocol 11, and exercising the sendcmd.c program on the suspect machine. You can do so by running tcpdump on a machine,
# tcpdump ip proto 11 |
# gcc -o sendcmd sendcmd.c # ./sendcmd 1 63.193.103.78 Creating a packet of cmd#1 |
If any host on your network is sending packets matching this description, investigate that host as described in the next section.
You can run the following command as root to detect a running version of the exploit:
lsof -p `ps aux | grep mingetty | cut -c 10-15 | xargs | sed 's/ /,/g;'` | \ grep txt | grep -v /sbin/mingetty | grep -v grep |
In the unlikely event that mingetty doesn't reside in /sbin/mingetty on your system, modify the command given above to reflect the actual location of mingetty.
Here is sample output, which indicates a running version of the exploit:
the-binar 1726 root txt REG 3,2 205108 133178 /home/silly/reverse/the-binary |
Any host running this backdoor has been compromised using another exploit or combination of exploits. You must investigate to determine how the attacker gained access and then close these holes. Failure to do so may result in the attacker regaining access to the machine and causing serious damage.
Once you confirm that the md5sum of the file in question matches the known md5sum of this exploit -- 1d726de4f7fe7e580c8fad4b3e4703f6 -- the exploit can be removed by killing the running backdoor and then removing the exploit from the system.
Using the example detected in the previous section:
csh% md5sum /home/silly/reverse/the-binary 1d726de4f7fe7e580c8fad4b3e4703f6 /home/silly/reverse/the-binary csh% kill -9 1726 csh% rm -f /home/silly/reverse/the-binary |
<<< Previous | Home | Next >>> |
Executive Summary of Incident | Analysis |