The Reverse Challenge
Advisory
Honeyp.edu
Incident Summary
An unauthorized program, place place by a malicious user, has been found on at least on of the
machines in the univerisy. This document will provide:
- How it works
- The threat
- Detection
- Defending
1. How it works
The program is a server that listen for commands embedded in IP packets with a protocol of 11.
These commands allow the external user to generate Denial of Service attacks with TCP SYN packets,
DNS queries, and ICMP and UDP packets. In addtion, the user can execute commands, get a root
shell, and check on whether and which attack is running. The shell access is accomplished via tcp
port 23281.
2. The threat
The threat level of this program is very high. Any infected computer must be assumed to be fully
compromised since the intruder has full access to the machine. Any traffic on the network segment
may also have been seen. As with any DoS attack, there is additional load on our network resources
as well as the threat to the target(s) them selves.
3. Detection
A running instance of the program can be determine by using netstat --raw -na to look for
any raw sockets with protocol 11. Running instances of the program change their command string to
"[mingetty]". Detection of the binary file will require a thorough search of
the hard drives. Properties of the binary that may be useful for the search include.
- size = 205108
- cksum = 2513943409
- md5sum = 1d726de4f7fe7e580c8fad4b3e4703f6
- contain the string "[mingetty]"
- contain the string "The Linux C library 5.3.12"
Any suspected programs should be saved for further study.
4. Defending
In addition to standard security measures there are several steps that can be taken. First, look
for any network traffic using IP protocol 11 (or better, any non-standard protocol), any mal-formed
ip headers (ie frament clear with non-zero fragment offset), and tcp connections to port 23281.
This will catch some of the traffic used by this program.
To avoid this program being started accidentaly, all system not currently running
tripwire or other similar software
should have it install. The configuration on all machines should be checked to insure that
they are up to date.