--------------------------------------------------------------------------------
Advisory: CERIAS-2002-01 - NVP DoS Zombie
Date: 05/31/02
Systems Affected: All x86 Linux systems
--------------------------------------------------------------------------------
Overview:
A denial of service (DoS) zombie executable that uses Network Voice Protocol
(NVP) IP packets for its control messages and also provides remote root shell
access to a host.
In-Depth Description:
A binary has been discovered that is capable of performing various denial
of service attacks. Those attacks are TCP SYN flooding, UDP flooding, ICMP
ping flooding, ICMP ping smurf attacking, DNS zone transfer flooding, DNS
zone transfer reflector attacks. The binary, which masks itself as a "[mingetty]"
process also allows for arbitrary remote command execution and can provide
a remote root shell.
For its control messages, the IP transport layer NVP protocol is used.
Impact:
The machine has been compromised and other malicious software could be installed
on the system. An immediate investigation of the host is necessary.
Detection/Defending:
To determine if your system has been compromised, look for the
following:
FILES/PORTS
------------------------------------------------------------------------
- existence or creation of the file "/tmp/.hj237349". (Note: this
file may be in existence for only a short period of time.)
- a process titled "[mingetty]" in the process list. (Note: A more
general detection method would compare the output of "ps
-aux" with "ps -auxc" and look for a process trying to mask
itself with another name).
- an open TCP port listening on port 23281
- an open raw IP socket of type NVP (especially if NVP should not
be on the system)
IRREGULAR NETWORK TRAFFIC ------------------------------------------------------------------------
- existence of NVP traffic to and from the host, especially outgoing
NVP packets to up to 10 different addresses at once containing
03 and 00 as the first bytes of the IP payload and incoming packets containing
02 and 00.
- high volumes of DNS UDP traffic, TCP SYN requests, ICMP pings,
or general UDP packets emanating from the host.
Once a binary has been found that is suspicious:
- check to see if the binary is stripped and statically linked
- run the "strings" tool on the binary, and look for the following
strings (in sequence):
[mingetty]
/tmp/.hj237349
/bin/csh -f -c "%s" 1> %s 2>&1
TfOjG
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
PATH
HISTFILE
linux
TERM
/bin/sh
/bin/csh -f -c "%s"