| VID |
24025 |
| Severity |
40 |
| Port |
6723, ¡¦ |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The remote host appears to be running a mstream handler, which is a trojan that can be used to control your system or make it attack another network. The mstream program is a distributed denial of service tool based on the "stream.c" attack. This tool includes a "handler" and a "agent". The handler is the portion of the tool that controls all of the agents. An attacker connects to the handler using telnet to control the agents. Communications between the client, handler, and agent are not encrypted. The distributed method of attack multiplies the effect on the CPU, as well as consuming large amounts of network bandwidth.
* References:
http://www.iss.net/security_center/static/4370.php
http://www.iss.net/security_center/alerts/advise48.php |
| Recommendation |
Locate the mstream handler or agent on a system, by using lsof. If you know which port the handler is listening on, you can use lsof to locate the executable. After locating the mstream handler or agent, kill the process and delete the executable. From the handler, locate the agent computers that are registered with the handler to find other systems that have been compromised.
1. To locate the mstream handler or agent on a system using lsof:
a. Type the following command with the port number ("6723") on which the handler executable is listening:
[root@mars]# lsof -I TCP:6723
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
master 7731 root 3u IPv4 343643 TCP *:6723 (LISTEN)
b. Type the following command with the name of process ("master") determined in step a:
[root@mars]# lsof -c master -a -d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
master 7731 root txt REG 3,5 66221 2334456 /home/hero/mstream/master
2. To kill the process and delete the executable:
a. Kill the process using the 'kill' command and the process ID, "7731".
B. Delete the mstream executable, "master".
3. To locate all the agent machines registered to the handler:
a. Locate the "..." or ".sr" file, which includes an encrypted list of IP addresses of all of the agents.
B. Decrypt the file using the following shell command:
[root@mars]# cat ... | tr 'b-k`' '0-9.' | sed 's/<$//'
4. Contact CERT and your local authorities, so that they can take action to further prevent the attack from spreading. |
| Related URL |
CVE-2000-0138 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
