Discovery DateSometime in 2002 from a Honeynet system
Length205108
MD5sum1d726de4f7fe7e580c8fad4b3e4703f6
TypeBackdoor
OSLinux

the-binary combines the function of

Method of infection

A hacker using the administrator account (root) on a Linux machine has executed the program.

System Detection

This programs uses a raw socket to communicate. On infected system, the netstat command will return the string 0.0.0.0:11 like in the following exemple

netstat -wln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
raw        0      0 0.0.0.0:11              0.0.0.0:*               7

Network Detection

It uses an unusual IP protocol (0x11 Network Voice Protocol) to communicate. Firewalls usually don't authorize such traffic, so they will logs its activity. DoS attacks using spoofed adress will generated some warnings too.

Removal instructions

To stop it, run as root user the command kill -9 pid_of_false_mingetty. If this binary is part of a rootkit, extra operations may be needed.

Symptoms

This programs runs as root and hides under the name [mingetty]. On most system, you can see the real mingetty program as /sbin/mingetty.

An extra entry in netstat output can be seen:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
...
raw        0      0 0.0.0.0:11              0.0.0.0:*               7

The Denial of Service attacks can slow down your network connection.

Features

A hacker can send command by using raw packet, source IP can be spoofed. Network control data is encoded using a simple algorithm. There are three backdoor commands: bind a shell on a TCP port, run command, run command and send back the output. Denial of Service functions includes TCP syn flood, a fragmentation attack involving fragmented ICMP or UDP packets, DNS or UDP flooding.