• The server is communicating in an unusual manner with an internal client on a port that has previously shown a stable pattern for requests and responses
  • The request received by the server and the response sent by it don’t conform to any of the previously observed patterns

Possible Root Causes

  • The server has been compromised and the port has been hijacked to enable communication to the compromised part of the system without requiring a new port to be utilized for the communication
  • The client or the server has been recently upgraded and the pattern of use on the server port has changed
  • The client which triggered the detection has an unusual configuration in that it communicates with the port on this server in a manner unlike all the other observed communication on the port

Business Impact

  • Port hijacking is a technique attackers use to enable communication to a compromised server without raising alarms which may go off when a new port is used on an existing server
  • Compromised servers are often more valuable than compromised laptops as they remain on the network at all times and are often located in the data center where most of an organization’s important data resides

Steps to Investigate

  1. See if the pattern of the flagged request and response represent acceptable deviations from the normal patterns or are significant departures such as binary data in an otherwise character-based protocol
  2. Inquire whether the software which emitted the request on the client has recently been updated as this may cause detections for a short period of time after the update
  3. Inquire whether the software on this server which responded to the request has recently been updated as this may cause detections for a short period of time after the update
  4. This type of backdoor is most likely to be in a kernel module, so produce a list of all installed kernel modules and verify against list of good known kernel modules
  5. If the changed pattern remains unexplained, boot the client and server using a known good image on a USB device, then mount the local drive and scan it for signs of compromise