Advisory

Honeynet Advisory H-21: Backdoor with IP Packet Interface

Systems Affected

This backdoor will run on any Intel (x86) machines running either Linux or an operating system with Linux binary support, such as FreeBSD.

Overview

This backdoor allows an intruder to run commands on an affected host. The backdoor runs as a server process which the intruder can communicate with, using specially formatted IP packets. While an intruder can use this tool to compromise other hosts, the program itself has no functionality that would allow it to autonomously compromise other hosts.

In addition, the program has the ability to direct a network flood against other hosts, as directed by the intruder.

Detecting this Exploit on a Network

The backdoor can be actively detected by monitoring your loopback interface for packets of IP protocol 11, and exercising the sendcmd.c program on the suspect machine. You can do so by running tcpdump on a machine,

# tcpdump ip proto 11
and then using another login session to execute
# gcc -o sendcmd sendcmd.c
# ./sendcmd 1 63.193.103.78
Creating a packet of cmd#1
(replacing the IP number with that of the suspect machine). If any replies are generated, they will be reported by tcpdump, and should be considered confirmation that the machine has been compromised.

If any host on your network is sending packets matching this description, investigate that host as described in the next section.

Detecting this Exploit Locally

You can run the following command as root to detect a running version of the exploit:

lsof -p `ps aux | grep mingetty | cut -c 10-15 | xargs | sed 's/ /,/g;'` | \
grep txt | grep -v /sbin/mingetty | grep -v grep

In the unlikely event that mingetty doesn't reside in /sbin/mingetty on your system, modify the command given above to reflect the actual location of mingetty.

Here is sample output, which indicates a running version of the exploit:

the-binar 1726 root  txt    REG    3,2  205108 133178 /home/silly/reverse/the-binary

Removing this Exploit

Any host running this backdoor has been compromised using another exploit or combination of exploits. You must investigate to determine how the attacker gained access and then close these holes. Failure to do so may result in the attacker regaining access to the machine and causing serious damage.

Once you confirm that the md5sum of the file in question matches the known md5sum of this exploit -- 1d726de4f7fe7e580c8fad4b3e4703f6 -- the exploit can be removed by killing the running backdoor and then removing the exploit from the system.

Using the example detected in the previous section:

csh% md5sum /home/silly/reverse/the-binary
1d726de4f7fe7e580c8fad4b3e4703f6  /home/silly/reverse/the-binary
csh% kill -9 1726
csh% rm -f /home/silly/reverse/the-binary