Honeyp University was attacked on the 1st May, 2002 by an Internet attacker, targeting particular Linux systems within the University. A rogue piece of software was uploaded and executed on the compromised machines. The software was subsequently identified and analysed by Honeyp University systems security staff.
This document describes in detail components of the software, its purpose, the threats it poses, and how to detect and defend against this type of software.
The software was a combination system backdoor and denial-of-service agent.
The backdoor component of the software allowed a remote user to send arbitrary system commands to the compromised machine, and have them executed. This effectively gave the attacker ‘command level’ access to the compromised system, and would allow complete control of the system. In addition, the attacker was able to trigger the software into allowing direct access to a shell on the machine, which was protected by a password. This would allow the attacker interactive access directly into the machine
The denial-of-service agent was a multipurpose flooding system. A remote user would be able to send particular commands to the software, containing such information as a target IP address or hostname. The software would then utilize the high speed Internet connectivity of the university to send large amounts of traffic in various formats to the target. The types of flood traffic generated by the software were DNS server traffic amplification, SYN floods and Ping style attacks.
The software was able to start and stop arbitrary denial-of-service attacks, and was limited to performing a single type of denial-of-service at a time.
The software was able to conceal its presence by renaming itself to ‘[mingetty]’ once executed, making it difficult to identify in a process list. It also used scrambling of network traffic to make identification of the commands more difficult, and was able to use decoy style responses to make identification of the attacker more difficult.
In general, the software would be used to perform intentionally malicious acts, against other Internet users or the university. It is imperative that all systems staff be aware of the threat, and contact systems security if it is believed that their machines have been compromised.
The software listened for network traffic using IP protocol 11, with size greater than 200 bytes. If this was identified, the traffic would be descrambled, and then the appropriate commands executed based on the contents of the network traffic. The descrambling algorithm can be found in this security information pack, in the file encode.c.
When most commands are executed, the current status of any running commands are checked. This ensures that the attacker can not accidentally trigger multiple floods from the same system simultaneously.
The DNS flooding component used either attacker specified DNS servers, or a list of some 8000 servers stored within the binary itself. These DNS servers would be queried for responses that would return far more traffic than the query itself, and the source IP addresses of the query would be set to the target. The net effect is of traffic amplification, where DNS servers throughout the Internet would be used to flood the network of the target user.
The SYN and Ping style flood components are similar to other network flooding tools previously released on the Internet, as such will not be covered in detail. More information can be found on these types of denial-of-service attacks at http://staff.washington.edu/dittrich/misc/ddos/
The software also supported commands for remote access to the systems via either a single command or by a listening shell bound to port 23281. This allowed an attacker effectively complete superuser command level access to the compromised system.
The software can be readily detected by using the command ‘netstat –an’ to identify listening raw sockets on protocol 11. In particular circumstances, TCP port 23281 may be listening.
Sample output of ‘netstat –an’ on a compromised host:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:23281 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:11 0.0.0.0:* 7
Honeyp University systems security staff have developed software (detect.c) for automatic remote scanning of hosts to identify the presence of the software. This scanning software is available as part of this security information bundle. This software will compile on a Unix system with libpcap and libnet installed, and will attempt to request status from a host. It should be executed with the following command line:
detect <source interface> <source IP address> <possibly compromised host>
Substitute your local ethernet address name (possibly eth0 or hme0) for the <source interface> parameter, the IP address of that interface for the <source IP address>, and the possibly compromised hosts IP address as the final parameter. If no response is returned within 5 seconds, you should exit the program with ctrl-c.
Once a compromised system has been identified. ‘lsof’ can be used to identify software using raw sockets as follows:
[root@test honeypsec]# lsof | grep raw
the-binar 8581 root 0u raw 14814 00000000:000B->00000000:0000 st=07
The ‘:000B’ indicates a listening socket, on IP protocol 0x000B, or 11. This process with example PID of 8581 is the malicious software. As the software attempts to hide its presence using the name ‘[mingetty]’, further proof can be seen by using ps to identify the start time of all ‘mingetty’ processes. As mingetty is typically started by init upon system boot, the real mingetty execution start date time and execution time of the fraudulent mingetty processes will be different.
[root@test honeypsec]# ps -ef | grep min
root 745 1 0 May25 tty1 00:00:00 /sbin/mingetty tty1
root 746 1 0 May25 tty2 00:00:00 /sbin/mingetty tty2
root 747 1 0 May25 tty3 00:00:00 /sbin/mingetty tty3
root 748 1 0 May25 tty4 00:00:00 /sbin/mingetty tty4
root 749 1 0 May25 tty5 00:00:00 /sbin/mingetty tty5
root 750 1 0 May25 tty6 00:00:00 /sbin/mingetty tty6
root 8581 1 0 May28 ? 00:00:00 [mingetty]
root 9974 8581 0 08:28 ? 00:00:00 [mingetty]
root 9970 8511 0 08:17 pts/1 00:00:00 grep min
Using a network monitor would also allow detection of command and response traffic, simply by flagging traffic with IP protocol 11. In addition, spoofed network packets identified on the local network would identify compromised machines by the MAC addresses within the packet.
The software can be simply terminated by using the command ‘kill -9 <PID> <PID> …’, where <PID> are the identified process IDs from the ps output above. This command must be executed as superuser.
[root@test honeypsec]# kill -9 8581 9974
[root@test honeypsec]# ps -ef | grep min
root 745 1 0 May25 tty1 00:00:00 /sbin/mingetty tty1
root 746 1 0 May25 tty2 00:00:00 /sbin/mingetty tty2
root 747 1 0 May25 tty3 00:00:00 /sbin/mingetty tty3
root 748 1 0 May25 tty4 00:00:00 /sbin/mingetty tty4
root 749 1 0 May25 tty5 00:00:00 /sbin/mingetty tty5
root 750 1 0 May25 tty6 00:00:00 /sbin/mingetty tty6
Because of the malicious nature of this software, it is possible that the attacker may have modified other components of the system. For each case of detection of the malicious software, Honeyp University systems security must be contacted, to determine the best course of action to prevent re-compromise.
Specific information on combatting denial-of-service attacks has not been included here. Information on this topic can be found at http://www.denialinfo.com/ or http://staff.washington.edu/dittrich/misc/ddos/