Archive of CERT general posting, CERT Summary CS-98.04

22/05/98, CERT Summary CS-98.04
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@coal.cert.org
Subject: CERT Summary CS-98.04
From: CERT Advisory <cert-advisory@cert.org>
Date: Thu, 21 May 1998 15:34:40 -0400
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

CERT* Summary CS-98.04 - SPECIAL EDITION
May 21, 1998


This special edition of the CERT Summary reports increasing attacks on
machines running "named" (domain name server software, part of BIND).

Past CERT Summaries are available from
     ftp://ftp.cert.org/pub/cert_summaries/

- ---------------------------------------------------------------------------
The CERT Coordination Center has received reports of increasing
intruder activity indicating that intruders are targeting machines
running vulnerable versions of "named" (domain name server software
that is part of BIND).  Many sites running unpatched, vulnerable
versions of "named" have been compromised.

We encourage you to review CERT Advisory CA-98.05, which describes the
BIND buffer overflow vulnerability that is being exploited, and to
apply the appropriate patches if you have not done so already.  The
advisory is available at

    http://www.cert.org/advisories/CA-98.05.bind_problems.html

Some operating system distributions have the vulnerable version of
"named" installed and enabled by default.  When you are installing an
operating system on a machine, ensure that the version of the
operating system you use contains a patch for this problem; if your
operating system is vulnerable and does not contain a patch,
immediately apply the patch after you install the operating system.
For more information about which operating systems have vulnerable
versions of "named", see CA-98.05.


Increasing Intruder Activity
- ----------------------------
Intruders are increasingly scanning networks for machines running
vulnerable versions of "named".  This increased activity in "named" is
consistent with trends we have seen with previous vulnerabilities; in
these cases, intruders have launched widespread scans to look for
machines running vulnerable IMAP servers or web servers with the "phf"
vulnerability, and then exploited the vulnerability on those machines.

While we have had many reported incidents involving the exploitation
of "named", at least one incident appears to involve widespread
attacks against authoritative domain name servers.


Description of Some Current Attacks
- -----------------------------------
In some incidents reported to us, it appears that after the "named"
server is compromised, the intruder runs a script that

    - telnets to another host (potentially the host launching the
      attack) on port 666
    - obtains an intruder tool archive named "hide" via ncftp or ftp
    - unpacks and installs the contents of the "hide" archive

This "hide" archive includes the following Trojan horse programs:

    ifconfig
    inetd
    ls
    named
    netstat
    ps
    pstree
    syslogd
    tcpd
    top

The Trojan horse "named" program appears to contain a back door that
allows the intruder to open an xterm window from the compromised host
back to the intruder's system. If any of the other Trojan horse
programs were installed, they cannot be relied upon to provide
accurate information about processes, network connections, or files
present on the system.

The "hide" archive also contains several other intruder tools and
configuration files including

    /dev/reset
    /dev/pmcf1
    /dev/pmcf2
    /dev/pmcf3
    /dev/pmcf4
    fix

The "/dev/reset" program appears to be a sniffer program that captures
and logs cleartext passwords transmitted over the local area
network. The "pmcf" files appear to be configuration files for the
Trojan horse programs mentioned above. "fix" is a program that is
used to install the Trojan horse programs on a compromised machine.
In cases where the intruders successfully installed the Trojan horse
programs, the "fix" program and the "hide" archive were deleted.

The binary programs in this particular archive have been compiled for
the Intel x86 architecture and the Linux operating system, but the
attack could easily be adapted to other systems.

Vulnerable "named" servers other than ones on Linux may abort and dump
core if an intruder attempts to use the specific exploit designed for
the Intel x86 architecture.  This means that a core file for a domain
name server may indicate a specific failed attempt to compromise the
domain name server, but the domain name server could still be successfully
compromised with the use of a different intruder exploit script.


Look for Compromise on Your Systems
- -----------------------------------
To determine whether or not your system has been compromised by an
intruder, we encourage you to follow the steps identified in our
Intruder Detection Checklist, available at

   ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist

Suggestions for detecting this specific activity include

  - Compare the MD5 checksums for the files listed above with the
    MD5 checksums from versions that are known to be correct.

  - Look for the sniffer program "/dev/reset", the "/dev/pmcf*"
    configuration files and the sniffer output file, which in many
    incidents has been "/usr/lib/libsn.a".

  - Check to see if your system log contains messages like

       May  1 11:28:49  named[28464]: starting.  named
         LOCAL-980501.020913 Fri May  1 02:09:13 EDT 1998
         ^Iroot@:/usr/lib/tntbot/bind/named

    This message may indicate that you are running a Trojan horse
    version of "named".

  - Investigate any unexpected crashes or restarts of the named and
    "inetd" daemons occurring recently, especially since April 27,
    1998. The intruder's installation script kills these daemons
    and then restarts them with the new Trojan horse versions.

  - Examine core dumps from recently crashed "named" servers. Some of
    the sites attacked have reported that their core files contain
    portions of the exploit script used in this attack. Sites that have
    reported such crashes appear to be running operating systems other
    than Linux. In these cases, it is possible that the intruder was
    not successful in compromising the machine.  However, the "named"
    server is still potentially vulnerable and could be compromised
    successfully in a different attempt.

  - The .ncftp file in root's home directory may contain information
    showing unexpected ftp file transfers.

If you determine that your systems may have been root compromised as a result
of this activity, we encourage you to refer to the "Recovering from an
Incident" web page available at

        http://www.cert.org/nav/recovering.html

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer on business days
                8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4),
                and are on call for emergencies during
                other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNWR4gnVP+x0t4w7BAQF/wQP/QxT1ZApG3SLWndRQ0svlEFV5OVo22bWX
H+61HPAn7h5dLsk1hMzer5Nvi1SpOT2aT9gFtb4tTHiaJ/E9NazWB2QBSXNDhMEz
p5+rbSiPvEsbRjysRQhzaG6GC2bib7tsaozGUka/XAKEjtJeJxzlZk++9AFkvtMp
QQzljs3cPd4=
=iQy0
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Summary CS-98.03
Next message sorted by date: CERT Summary CS-98.05
Previous message sorted by thread: CERT Summary CS-98.03
Next message by thread: CERT Summary CS-98.05
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000