LOKI ICMP tunneling back door

loki (1452) The risk level is classified as HighHigh Risk


LOKI is a client/server program published in the online publication Phrack. This program is a working proof-of-concept to demonstrate that data can be transmitted somewhat secretly across a network by hiding it in traffic that normally does not contain payloads. The example code can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a Unix system after root access has been compromised. Presence of LOKI on a system is evidence that the system has been compromised in the past.


Gain Access


If the LOKI attack is crossing a perimeter router or firewall, add a rule that blocks all ICMP traffic entering your network.

To determine if LOKI is running, look for programs that have an ICMP raw socket open. This can be done from a root shell on Linux with a command similar to: "netstat -a -n -w" If you see something like this:

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
raw 0 0*
raw 0 0*
raw 0 0*

Some process has an ICMP raw socket open on the system, which might be indicative of a LOKI daemon. Also look for, which might indicate a loki daemon running in UDP mode. For Solaris, the command would be netstat -a -n -P icmp. Next, identify the loki server and kill the process. To kill the process, choose one of the following commands:

Linux: ps -aux -w | grep "root"
Solaris: /usr/ucb/ps -aux -w | grep "root"

The default name is lokid, but this name could easily be changed to another name by an attacker. An active installation of lokid will often result in many zombie copies of the process left around, due to bugs in the program. This can be used as a clue.


Platforms Affected:

  • FreeBSD FreeBSD 2.1.0
  • FreeBSD FreeBSD 2.1.5
  • FreeBSD FreeBSD 2.1.6
  • FreeBSD FreeBSD
  • FreeBSD FreeBSD 2.1.7
  • FreeBSD FreeBSD
  • Linux Kernel 2.0
  • OpenBSD OpenBSD 2.1
  • Sun Solaris 1.0
  • Sun Solaris 2.6


Sep 01, 1997

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page