The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>Distributed Network Sniffer</h2>
Monday, October 25, 1999
<p>
<h3>Overview</h3>
We have received reports of intruders using distributed
network sniffers to capture usernames and passwords. The distributed
sniffer consists of a client and a server portion. The sniffer clients
have been found exclusively on compromised Linux hosts.
<p>
<h3>Description</h3>
The following characteristics may be present on compromised hosts
running the sniffer client:
<p>
<ul>
<li>The sniffer clients have been found exclusively on compromised
Linux hosts. Some reports indicate a vulnerability in the cron
daemon may be used to leverage privileged access. We suspect
user accounts with compromised passwords may be used to gain
initial access.
<li>The executing sniffer binary may appear in the process list using
a deceptive name, such as in.telnetd. Here is an example of the
client as found in a process list of a compromised host:<br/>
<pre>
in.telnetd ARGS=/sbin/init 59300 NO_MOD_PARMS=install
ARGS=/USR/SBIN/CRON EMB= ARG=/tmp/passwd LOGHOST=xxx.xxx.xxx.xxx
</pre>
The value of LOGHOST appears to be one or more IP addresses for
remote sniffer servers.
<p>
<li>The binary /sbin/init may be replaced with an intruder-supplied
binary, with the original moved to /dev/init. The malicious
/sbin/init binary makes use of kernel modules to conceal system
changes. An existing /dev/init copy may be visible to stat() if
it's full path is given (e.g., "ls -l /dev/init").
<li>UDP packets containing username and password information may
be sent to one or more remote sniffer servers using source port
21845/udp.
</li></li></p></li></li></ul>
<p>
The characteristics of the sniffer server include these:
<ul>
<li>Appears to listen for incoming UDP packets from sniffer clients on
port 21845/udp.
<li>May run as an ordinary user without privileges.
</li></li></ul>
<p>
<h3>Solutions</h3>
If you believe a host has been compromised, we encourage you to
disconnect the host from the network and review our steps for
recovering from a root compromise:
<p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/root_compromise.html">
http://www.cert.org/tech_tips/root_compromise.html</a>
</dd></dl>
<p>
We encourage you to ensure that your hosts are current with security
patches or work-arounds for well-known vulnerabilities.
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p> |