Hacker Program Found
CAN 1999-0660
Impact
This warning indicates that a hacker may have gained unauthorized access to a
target system and has installed BNC, a program designed to proxy
IRC (Internet Relay Chat) sessions.
Background
This warning refers to a hacker program called BNC, which is a simple
program designed to proxy IRC sessions. It is user configurable
using the file BNC.conf and includes multi-user, passwords
and other basic necessities. Often, hackers put this program on a
compromised machine, and usually disguise the executable by giving
it a name other than BNC. Names commonly used include
-tcsh, pine and lpd.
These names are used so that when the process status listing is
checked they will not stand out and alert a system administrator/user
since these are usually valid process names and there are often many
instances of these processes running. Other names used include
a and b. Hackers use this program to
"chat" with other hackers. It is popular among hackers because it is an
easy medium in which to spread ideas and "hacks" (vulnerabilities that
may be exploited).
The Problem
This warning does not point out a vulnerability in and of itself. But, it
does indicate that the target system may have been compromised, and that a
vulnerability may exist on the system. In order to run the BNC
program, a hacker must have interactive access to the target system.
Resolution
The first step is to kill the BNC program. The next step is
to search the system for evidence of a hacker's presence. After determining that
a hacker is not currently accessing the system, run a full check of the system
to determine how the hacker gained access and eliminate any existing vulnerabilities.
Where can I read more about this?
For general information on the BNC program, see the
BNC homepage.