The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>Distributed Network Sniffer</h2> Monday, October 25, 1999 <p> <h3>Overview</h3> We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. The sniffer clients have been found exclusively on compromised Linux hosts. <p> <h3>Description</h3> The following characteristics may be present on compromised hosts running the sniffer client: <p> <ul> <li>The sniffer clients have been found exclusively on compromised Linux hosts. Some reports indicate a vulnerability in the cron daemon may be used to leverage privileged access. We suspect user accounts with compromised passwords may be used to gain initial access. <li>The executing sniffer binary may appear in the process list using a deceptive name, such as in.telnetd. Here is an example of the client as found in a process list of a compromised host:<br/> <pre> in.telnetd ARGS=/sbin/init 59300 NO_MOD_PARMS=install ARGS=/USR/SBIN/CRON EMB= ARG=/tmp/passwd LOGHOST=xxx.xxx.xxx.xxx </pre> The value of LOGHOST appears to be one or more IP addresses for remote sniffer servers. <p> <li>The binary /sbin/init may be replaced with an intruder-supplied binary, with the original moved to /dev/init. The malicious /sbin/init binary makes use of kernel modules to conceal system changes. An existing /dev/init copy may be visible to stat() if it's full path is given (e.g., "ls -l /dev/init"). <li>UDP packets containing username and password information may be sent to one or more remote sniffer servers using source port 21845/udp. </li></li></p></li></li></ul> <p> The characteristics of the sniffer server include these: <ul> <li>Appears to listen for incoming UDP packets from sniffer clients on port 21845/udp. <li>May run as an ordinary user without privileges. </li></li></ul> <p> <h3>Solutions</h3> If you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise: <p> <dl> <dd><a href="http://www.cert.org/tech_tips/root_compromise.html"> http://www.cert.org/tech_tips/root_compromise.html</a> </dd></dl> <p> We encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities. <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 1999 Carnegie Mellon University.</p> </p></p></p></p></p></p></p> |