--------------------------------------------------------------------------------
Advisory: CERIAS-2002-01 - NVP DoS Zombie
Date: 05/31/02

Systems Affected: All x86 Linux systems
--------------------------------------------------------------------------------

Overview:

A denial of service (DoS) zombie executable that uses Network Voice Protocol (NVP) IP packets for its control messages and also provides remote root shell access to a host.

In-Depth Description:

A binary has been discovered that is capable of performing various denial of service attacks. Those attacks are TCP SYN flooding, UDP flooding, ICMP ping flooding, ICMP ping smurf attacking, DNS zone transfer flooding, DNS zone transfer reflector attacks. The binary, which masks itself as a "[mingetty]" process also allows for arbitrary remote command execution and can provide a remote root shell.

For its control messages, the IP transport layer NVP protocol is used.

Impact:

The machine has been compromised and other malicious software could be installed on the system. An immediate investigation of the host is necessary.

Detection/Defending:

To determine if your system has been compromised, look for the following:
FILES/PORTS
------------------------------------------------------------------------
 IRREGULAR NETWORK TRAFFIC ------------------------------------------------------------------------
Once a binary has been found that is suspicious:
[mingetty]
/tmp/.hj237349
/bin/csh -f -c "%s" 1> %s 2>&1
TfOjG
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
PATH
HISTFILE
linux
TERM
/bin/sh
/bin/csh -f -c "%s"