Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


May 21, 1998

This special edition of the CERT Summary reports increasing attacks on
machines running "named" (domain name server software, part of BIND).

Past CERT Summaries are available from

- ---------------------------------------------------------------------------
The CERT Coordination Center has received reports of increasing
intruder activity indicating that intruders are targeting machines
running vulnerable versions of "named" (domain name server software
that is part of BIND).  Many sites running unpatched, vulnerable
versions of "named" have been compromised.

We encourage you to review CERT Advisory CA-98.05, which describes the
BIND buffer overflow vulnerability that is being exploited, and to
apply the appropriate patches if you have not done so already.  The
advisory is available at

Some operating system distributions have the vulnerable version of
"named" installed and enabled by default.  When you are installing an
operating system on a machine, ensure that the version of the
operating system you use contains a patch for this problem; if your
operating system is vulnerable and does not contain a patch,
immediately apply the patch after you install the operating system.
For more information about which operating systems have vulnerable
versions of "named", see CA-98.05.

Increasing Intruder Activity
- ----------------------------
Intruders are increasingly scanning networks for machines running
vulnerable versions of "named".  This increased activity in "named" is
consistent with trends we have seen with previous vulnerabilities; in
these cases, intruders have launched widespread scans to look for
machines running vulnerable IMAP servers or web servers with the "phf"
vulnerability, and then exploited the vulnerability on those machines.

While we have had many reported incidents involving the exploitation
of "named", at least one incident appears to involve widespread
attacks against authoritative domain name servers.

Description of Some Current Attacks
- -----------------------------------
In some incidents reported to us, it appears that after the "named"
server is compromised, the intruder runs a script that

    - telnets to another host (potentially the host launching the
      attack) on port 666
    - obtains an intruder tool archive named "hide" via ncftp or ftp
    - unpacks and installs the contents of the "hide" archive

This "hide" archive includes the following Trojan horse programs:


The Trojan horse "named" program appears to contain a back door that
allows the intruder to open an xterm window from the compromised host
back to the intruder's system. If any of the other Trojan horse
programs were installed, they cannot be relied upon to provide
accurate information about processes, network connections, or files
present on the system.

The "hide" archive also contains several other intruder tools and
configuration files including


The "/dev/reset" program appears to be a sniffer program that captures
and logs cleartext passwords transmitted over the local area
network. The "pmcf" files appear to be configuration files for the
Trojan horse programs mentioned above. "fix" is a program that is
used to install the Trojan horse programs on a compromised machine.
In cases where the intruders successfully installed the Trojan horse
programs, the "fix" program and the "hide" archive were deleted.

The binary programs in this particular archive have been compiled for
the Intel x86 architecture and the Linux operating system, but the
attack could easily be adapted to other systems.

Vulnerable "named" servers other than ones on Linux may abort and dump
core if an intruder attempts to use the specific exploit designed for
the Intel x86 architecture.  This means that a core file for a domain
name server may indicate a specific failed attempt to compromise the
domain name server, but the domain name server could still be successfully
compromised with the use of a different intruder exploit script.

Look for Compromise on Your Systems
- -----------------------------------
To determine whether or not your system has been compromised by an
intruder, we encourage you to follow the steps identified in our
Intruder Detection Checklist, available at

Suggestions for detecting this specific activity include

  - Compare the MD5 checksums for the files listed above with the
    MD5 checksums from versions that are known to be correct.

  - Look for the sniffer program "/dev/reset", the "/dev/pmcf*"
    configuration files and the sniffer output file, which in many
    incidents has been "/usr/lib/libsn.a".

  - Check to see if your system log contains messages like

       May  1 11:28:49  named[28464]: starting.  named
         LOCAL-980501.020913 Fri May  1 02:09:13 EDT 1998

    This message may indicate that you are running a Trojan horse
    version of "named".

  - Investigate any unexpected crashes or restarts of the named and
    "inetd" daemons occurring recently, especially since April 27,
    1998. The intruder's installation script kills these daemons
    and then restarts them with the new Trojan horse versions.

  - Examine core dumps from recently crashed "named" servers. Some of
    the sites attacked have reported that their core files contain
    portions of the exploit script used in this attack. Sites that have
    reported such crashes appear to be running operating systems other
    than Linux. In these cases, it is possible that the intruder was
    not successful in compromising the machine.  However, the "named"
    server is still potentially vulnerable and could be compromised
    successfully in a different attempt.

  - The .ncftp file in root's home directory may contain information
    showing unexpected ftp file transfers.

If you determine that your systems may have been root compromised as a result
of this activity, we encourage you to refer to the "Recovering from an
Incident" web page available at

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer on business days
                8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4),
                and are on call for emergencies during
                other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in and .
If you do not have FTP or web access, send mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with
"copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office.

Version: 2.6.2


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology