advisory.html
~~~~~~~~~~
Topic:
Authors:
Date:
Thanks to:
|
Linux based remote administration and attacking tool.
Als and Vizzy
May, 20 2002
all those who love and inspire us.
|
Overview
We have received reports (we pretend and pose as security response team <g>) indicating intruders are beginning to deploy and utilize linux based
remote administration and denial-of-service attacking tool.
On May 6th we received report of a program called "the-binary" that appears to be a
tool catched "in the wild".
The binary we have seen has following MD5 checksum:
MD5 (the-binary) = 1d726de4f7fe7e580c8fad4b3e4703f6
The existence of remote administration and denial-of-service tools is not new;
however, we are beginning to receive reports of these tools being installed on compromised
systems. Thus, community should be warned and required action undertaken.
Impact
- Unauthorised remote root access.
- Remote command execution.
- Compromised system becomes an attacking tool and can be used to flood networks with
overwhelming amounts of traffic.
Description
Once installed, binary runs as a daemon with the name "[mingetty]"
(pretending to be harmless unix daemon) and listens to incoming raw socket. If specially made packet
comes, binary decrypts it and calls requested function with supplied parameters.
The key functions are:
* bind root shell on 23281 TCP port.
* execute command.
* execute command and return output.
* DNS flood using name servers from binary internal list.
* DNS flood using supplied name servers.
* TCP SYN flood with spoofed source addresses.
* UDP/ICMP flood.
We will not include details of every flood technique here, they
are all known and described in different documents already. See "References" part.
Binary is not encrypted and we can see clear-text strings inside:
[mingetty]
/tmp/.hj237349
/bin/csh -f -c "%s" 1> %s 2>1
TfOjG
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
PATH
HISTFILE
linux
TERM
/bin/sh
/bin/csh -f -c "%s"
Remote root shell password 'TfOjG' is stored with all letters incremented by one,
i.e. the actual password is 'SeNiF'.
Solution
1. Identify location of the binary executable and remove it from the startup scripts:
# ps auwx | grep mingetty]
root 405 0.0 0.0 2092 852 ? S May13 0:20 [mingetty]
Use found pid of the process and determine under what name binary resides
in your system:
# cat /proc/405/status
Name: the-binary
State: R (running)
Tgid: 405
Pid: 405
PPid: 1
...
# find / -name "the-binary"
/usr/local/bin/the-binary
2. Determine how your system was compromised and binary installed by performing complete
security check for all up-to-date vulnerabilities.
3.To prevent possibility of denial-of-service attacks from your systems, implement
filtering for the outgoing packets that contain a source address from a different network.
Some of the attacks implemented in the binary rely on the use of forged packets, that is, packets for which
the attacker deliberately falsifies the origin address. With the current IP protocol technology,
it is impossible to eliminate IP-spoofed packets. However, you can use filtering to reduce the
likelihood of your site's networks being used to initiate forged packets.
The best current method to reduce the number of IP-spoofed packets exiting your network is to
install filtering on your routers that requires packets leaving your network to have a source
address from your internal network.
A detailed description of this type of filtering is available in RFC 2267.
References
CERTŪ Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks
http://www.cert.org/advisories/CA-1996-21.html
CERTŪ Incident Note IN-2000-01
http://www.cert.org/advisories/CA-2000-01.html
CERTŪ Incident Note IN-2000-04
http://www.cert.org/incident_notes/IN-2000-04.html
|