Discovery Date | Sometime in 2002 from a Honeynet system |
Length | 205108 |
MD5sum | 1d726de4f7fe7e580c8fad4b3e4703f6 |
Type | Backdoor |
OS | Linux |
the-binary
combines the function of
A hacker using the administrator account (root) on a Linux machine has executed the program.
0.0.0.0:11
like in the following exemple
netstat -wln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State raw 0 0 0.0.0.0:11 0.0.0.0:* 7
It uses an unusual IP protocol (0x11 Network Voice Protocol) to communicate. Firewalls usually don't authorize such traffic, so they will logs its activity. DoS attacks using spoofed adress will generated some warnings too.
To stop it, run as root user the command kill -9 pid_of_false_mingetty
.
If this binary is part of a rootkit, extra operations may be needed.
This programs runs as root and hides under the name [mingetty]
. On most system,
you can see the real mingetty program as /sbin/mingetty
.
An extra entry in netstat output can be seen:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State ... raw 0 0 0.0.0.0:11 0.0.0.0:* 7
The Denial of Service attacks can slow down your network connection.
A hacker can send command by using raw packet, source IP can be spoofed. Network control data is encoded using a simple algorithm. There are three backdoor commands: bind a shell on a TCP port, run command, run command and send back the output. Denial of Service functions includes TCP syn flood, a fragmentation attack involving fragmented ICMP or UDP packets, DNS or UDP flooding.