Summary
An unauthorized program, place place by a malicious user, has been found on at least on of the machines in the univerisy. This document will provide:
2. The threat
As indicated above, this program raises a big threat both for the local machines and for other
machines accessable from the network. Any files one the infected machine may be read or modified.
The attacker may also watch any local network traffic and thereby getting passwords or other
information. As a platform for a DoS attack, the infected computer may affect the operation of
other computers on the network. This may also have an adverse affect on the local network
resources.
3. Detection
4. Defending
It is possible to tell if the program is running on your machine using the netstat command. Execute
netstat --raw -na and look for a line listing a raw socket with a local address of
0.0.0.0:11 as shown below. The example is of an infected machine. If you find that your machine
is infected, stop using it and notify the technical department immediately. If that line does not
appear in the output then the program is not currently running. Beware that you machine
may still contain the program even if it is not running.
infected$ netstat --raw -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
raw 0 0 0.0.0.0:11 0.0.0.0:* 7
infected$
Normal security precautions should be taken to avoid executing this program. Don't use easily
guessed passwords, keep the machine locked when you are not at it, and so. This will go a long way
toward keeping the program off of the computer in the first. Also do not use root or su any more
than you absolutely have to. And when you do, make sure you know what executables your running