| VID |
24024 |
| Severity |
40 |
| Port |
7983, ¡¦ |
| Protocol |
UDP |
| Class |
BackDoor |
| Detailed Description |
The remote host appears to be running a mstream agent, which is a trojan that can be used to control your system or make it attack another network. The mstream program is a distributed denial of service tool based on the "stream.c" attack. This tool includes a "handler" and a "agent". The handler is the portion of the tool that controls all of the agents. An attacker connects to the handler using telnet to control the agents. Communications between the client, handler, and agent are not encrypted. The distributed method of attack multiplies the effect on the CPU, as well as consuming large amounts of network bandwidth.
* References:
http://www.iss.net/security_center/static/4370.php
http://www.iss.net/security_center/alerts/advise48.php |
| Recommendation |
Locate the mstream agent on a system, by using lsof. If you know which port the agent is listening on, you can use lsof to locate the executable. After locating the mstream agent, kill the process and delete the executable.
1. To locate the mstream agent on a system using lsof:
a. Type the following command with the port number ("7983") on which the agent executable is listening:
[root@mars]# lsof -I UDP:7983
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
server 7601 root 3u IPv4 343530 UDP *:7983
b. Type the following command with the name of process ("server") determined in step a:
[root@mars]# lsof -c server -a -d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
server 7601 root txt REG 3,5 44775 2334461 /home/hero/mstream/server
2. To kill the process and delete the executable:
a. Kill the process using the 'kill' command and the process ID, "7601".
B. Delete the mstream executable, "server".
3. Contact CERT and your local authorities, so that they can take action to further prevent the attack from spreading. |
| Related URL |
CVE-2000-0138 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
