| VID |
24021 |
| Severity |
40 |
| Port |
31337, .. |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The remote port seems to be running a backdoor that spawns a shell for remote users, or some form of shell script, with some provided user input. These would allow a remote attacker to cause it to execute arbitrary code.
If the port daemon is a backdoor it could be installed by attackers. If it's not a backdoor, the application running on the remote port is not stripped for shell meta characters such as '`', '', '|' for user input. |
| Recommendation |
If the port daemon is a backdoor, the computer should be considered completely compromised, and it should be removed from any network or Internet connectivity.
To locate the backdoor on a system from inetd.conf:
1. Open inetd.conf file using editor such as 'vi'
2. If it exists the lines including '/usr/bin/sh' or '/bin/sh', remove the lines from the inetd.conf file.
3. Type the following command, revoking 'inetd' daemon:
kill -1 INETD_PID
To locate the backdoor on a system using lsof:
1. Type the following command, replacing "port" with the port number on which the backdoor executable is listening:
lsof -I TCP:port
2. Compare the output to the following output to locate the process that is listening on the specified TCP port:
# lsof -i TCP:31337
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
backdoor 2362 user1 3u IPv4 721759 TCP *:31337 (LISTEN)
3. Type the following command, replacing "process" with the name of process determined in step 2:
lsof -c process -a -d txt
4. Compare the output to the following output, to find the path to the executable:
# lsof -c mstream -a -d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
backdoor 2362 user1 txt REG 8,1 22385 30111 /home/user1/backdoor
Because the computer may also be infected with the internet worms such as ramen, it is necessary to completely re-install the operating system.
-- Or --
If the port daemon is an application, make sure all meta characters are filtered out, or close the port for access from untrusted networks. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
