--------------------------------------------------------------------------------
Advisory: CERIAS-2002-01 - NVP DoS
Zombie
Date: 05/31/02
Systems Affected: All x86 Linux systems
--------------------------------------------------------------------------------
Overview:
A denial of service (DoS) zombie executable that uses Network Voice
Protocol (NVP) IP packets for its control messages and also
provides remote root shell access to a host.
In-Depth Description:
A binary has been discovered that is capable of performing various
denial of service attacks. Those attacks are TCP SYN flooding, UDP
flooding, ICMP ping flooding, ICMP ping smurf attacking, DNS zone
transfer flooding, DNS zone transfer reflector attacks. The binary,
which masks itself as a "[mingetty]" process also allows for
arbitrary remote command execution and can provide a remote root
shell.
For its control messages, the IP transport layer NVP protocol is
used.
Impact:
The machine has been compromised and other malicious software could
be installed on the system. An immediate investigation of the host
is necessary.
Detection/Defending:
To determine if your system has been compromised, look
for the following:
FILES/PORTS
------------------------------------------------------------------------
- existence or creation of the file "/tmp/.hj237349". (Note: this
file may be in existence for only a short period of time.)
- a process titled "[mingetty]" in the process list. (Note: A
more general detection method would compare the output of "ps -aux"
with "ps -auxc" and look for a process trying to mask itself with
another name).
- an open TCP port listening on port 23281
- an open raw IP socket of type NVP (especially if NVP should not
be on the system)
IRREGULAR NETWORK TRAFFIC
------------------------------------------------------------------------
- existence of NVP traffic to and from the host, especially
outgoing NVP packets to up to 10 different addresses at once
containing 03 and 00 as the first bytes of the IP payload and
incoming packets containing 02 and 00.
- high volumes of DNS UDP traffic, TCP SYN requests, ICMP pings,
or general UDP packets emanating from the host.
Once a binary has been found that is suspicious:
- check to see if the binary is stripped and statically
linked
- run the "strings" tool on the binary, and look for the
following strings (in sequence):
[mingetty]
/tmp/.hj237349
/bin/csh -f -c "%s" 1> %s 2>&1
TfOjG
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
PATH
HISTFILE
linux
TERM
/bin/sh
/bin/csh -f -c "%s"