the-binary/[mingetty] - Technical Advisory

The-binary/[mingetty] - Technical Advisory

Release date:

06 May 2002 (date of the binary's capture on a honeypot - probably released before this date)

System affected:

Linux binary compatible systems (Linux, FreeBSD, OpenBSD, ...)

Severity:

None (if system isn't compromised)
High (if system was previously compromised)

Type:

Remote backdoor - DDoS node

Main characteristics:

This executable, once uploaded and installed on a compromised host, permits the intruder to fully control it, and to use it as a starting point for DDoS attacks. It exchanges information with a specific client (currently not available) by communicating data in the payload of IP packets with a protocol field set to 11. The client source IP address is not easy to locate, because the tool offers integrated possibilities to spoof source and destination addresses, possibly by using decoys. Once started, the binary forks two child processes, as a classical Unix daemon, and simply wait for incoming packets from the network.

Detection:

To detect the backdoor on a network, simply start the client in scanning mode: ./client <class C> .

On the host where the backdoor resides, the ps command will reveal a process named [mingetty]. A simple kill command will terminate its execution.
The binary was probably started through a startup script: to easily find it on the filesystem, search for binary files with a size of 205.108 bytes, and containing the following strings: "[mingetty]" - "nazgul" - "TfOjG".
Never directly suspect a computer exchanging IP protocol 11 packets with the compromised host to be the intruder, because the tool permits to use decoys addresses.

Solution:

The binary is a backdoor: it can't appear on a system if this one is secure. Notice that the backdoor requires to be root to start. The best practice is thus to have patched/updated systems, and to only give root passwords to qualified/honest people.
To avoid network traffic to compromised hosts, simply block at the perimeter firewall all IP packets with an IP protocol field set to 11 (10th byte of the IP header).
If the firewall permits it, you can also improve the filter by blocking packets with the first byte of the IP payload (the 21th byte of the IP packet) containing the value 02 or 03.