Senif trojan advisory

by Albert Bendicho (bendi#at#redestb.es). Student at the "honeyp.edu" university.

At the IT department of "Honeyp.edu" we have recently discovered the presence of a new kind of trojan that affects Linux servers. The trojan allows a backdoor entry to the systems where it runs and allow extra capabilities to be exploited by a remote user. See the trojan summary here.

Trojan capabilities

Characteristic features of this trojan are;

If you find an infected server it is highly advisable that you apply the standard procedures for a compromised system.

How to stop and eliminate the trojan

The best way to tell if the trojan is installed is to check if any process is listening in a "raw" socket for packets with the "nvp" protocol. To do that execute the following comand

[usr@server directory] netstat -aw

if you get an output similar to this one

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
raw        0      0 0.0.0.0:nvp             0.0.0.0:*               7       

then it's almost sure that you are trojaned. The line "raw" with the value "0.0.0.0:11" shows that the trojan is up and running and waiting for commands from a remote user through the "nvp" protocol (look at /etc/protocols).

To identify where the trojan resides, an "lsof" with the PID of the suspect process can be used. For example;

[root@whiteozzie reverse-ch]# ps xa | grep [\[]mingetty\]                                          
 1200 ?        S      0:00 [mingetty]  
[root@whiteozzie reverse-ch]# lsof -p "1200"| grep "txt"
the-binar 1200 root  txt    REG    3,1 205108 313077 /home/tstusr/reverse/the-binary
[root@whiteozzie reverse-ch]# 

This clearly shows that in this case the trojan is the file "the-binary" which resides in the "/home/tstusr/reverse" directory.

Once you know where the trojan executable is, you can stop it with a "kill -SIGKILL".

After that, proceed immediately with the standard procedures for a compromised system.