******************************************************************************
------ ----- ----- --- -----
| ----- ---- | | | | |
|--- | | | | | | | |
| |-- | | | | |-- |
| | | | | | | \ |
| ----- ---- ----- ----- | \ -----
A D V I S O R Y
FA-98.34
******************************************************************************
Topic: Update on Increasing Attacks On Machines Running "named"
Source: CERT/CC
Creation Date: May 28, 1998
Last Updated:
To aid in the wide distribution of essential security information, FedCIRC is
forwarding the following information from CERT/CC Summary CS-98.05 SPECIAL
EDITION. FedCIRC urges you to act on this information as soon as possible.
If you have any questions, please contact FedCIRC:
Telephone: +1 888 282 0870
Email: fedcirc@fedcirc.gov
=======================FORWARDED TEXT STARTS HERE============================
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT* Summary CS-98.05 - SPECIAL EDITION
May 28, 1998
This special edition of the CERT Summary reports new types of exploit methods
related to those discussed in CS-98.04. Special Edition CERT Summary CS-98.04
is available at
ftp://ftp.cert.org/pub/cert_summaries/CS-98.04
All of these attacks occur on machines running "named" (domain name server
software, part of BIND).
Past CERT Summaries are available from
ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
The CERT Coordination Center has received reports of new kinds of intruder
activity indicating that intruders are targeting machines running vulnerable
versions of "named" (domain name server software that is part of
BIND). Thousands of sites running unpatched, vulnerable versions of "named"
are known to have been compromised through exploit methods discussed here and
in CS-98.04.
Most of the compromised machines reported to us have been Intel-based machines
running Linux; however, machines of other architectures running vulnerable
versions of "named" have had their "named" processes crash.
While intruders appear to be using tools that exploit this vulnerability on
Intel-based machines, it would not be difficult for intruders to adapt
existing tools to exploit the vulnerability on other architectures.
We encourage you to review CERT Advisory CA-98.05, which describes the BIND
inverse query vulnerability that is being exploited, and to apply the
appropriate patches if you have not done so already. The advisory is available
at
http://www.cert.org/advisories/CA-98.05.bind_problems.html
Since the creation of the CERT/CC nearly 10 years ago, part of our mission has
been and is to facilitate communications between affected sites and law
enforcement agencies. The CERT/CC has been informed by the FBI (Federal Bureau
of Investigation) that they are actively investigating compromises related to
this special edition CERT summary. The FBI is seeking information from
affected sites on the exploitation of these vulnerabilities. If you would like
to report activities at your site to the FBI, please contact the FBI at
phone: +1 202 324 6715
email: nipc.watch@fbi.gov
or the CERT/CC.
Description of New Attack Methods
- ---------------------------------
In addition to the current attacks described in CS-98.04, other toolkits have
been discovered, including one with the potential to be self-replicating. The
self-replicating tool does not replicate by default.
Sites that have applied patches or upgraded to a version of "named" that is
not vulnerable to the inverse query vulnerability (described in CA-98.05) are
not vulnerable to this attack method.
Currently, this toolkit attempts to compromise a machine using the bind
inverse query vulnerability. If the exploitation attempt is successful, it can
- Create a blank line in the password file and add the user
"w0rm" to the password file (with no password)
- Create a root setuid version of the shell (/bin/sh)
in /tmp/.w0rm
- Remove the file /etc/hosts.deny
- Restart "named" (because the exploit of the buffer overflow
will cause "named" to crash)
- Create the file /tmp/.X11x with an html page. The toolkit
also attempts to look for index.html files located on the
file system of the compromised machine and attempts to
alter them. This attempt fails in the toolkit as it is
currently distributed.
- Create the directory /tmp/.w0rm0r and the file /tmp/w0rmishere
- Get the tar file called ADMw0rm.tgz via ftp from the
previously compromised machine, unpack it, and place it in
/tmp/.w0rm0r.
- Execute the ADMw0rm command from the downloaded archive
- Send via email the IP address of the local machine to
an external email address
- Remove any logs located in /var/log/* and the file /tmp/.w0rm
The order in which these steps are performed might vary, and all steps might
not be performed in all compromises.
In other attack methods, we are seeing intruders compromise machines running
vulnerable versions of "named"; as part of the exploit they open xterm windows
from the compromised machine, displaying back to the intruder's machine. The
intruder then has a privileged interactive session on the compromised machine.
What to Look for
- ----------------
In addition to the items listed in CERT Summary CS-98.04, you should look for
the following to help you detect this specific activity:
- Accounts and blank lines added to the password file
- Logins to unauthorized accounts (accounts created by the
intruder)
- The deletion of log files or the hosts.deny file
- Crashes or restarts of "named"
- The existence of the files or directories:
/tmp/.w0rm
/tmp/.w0rm0r
/tmp/w0rmishere
ADMw0rm.tgz
- Unauthorized replacement of index.html files
- xterm connections originating from internal machines
displaying on remote machines
If you determine that your systems might have been root compromised as a
result of this activity, we recommend that you disconnect the affected host
from the network and encourage you to refer to the "Recovering from an
Incident" web page available at
http://www.cert.org/nav/recovering.html
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://ftp.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
* CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNW3ntHVP+x0t4w7BAQEEHAQAs5+aAXexLEomkMrQVzleDjaLa3PnZ46E
t8RZlALGVL18fcNQ/ekvuLs10BumyjZmyNFjDEYTpf7ILy99ZxjaWNGd8JQUOLod
Gy0ghpfqieo2bVbd4RC/JJfSWbp4+jS/Ck+BSKeXC5zYufnOC3X2czBNJizY700H
kdp49tjEHMs=
=XXw2
-----END PGP SIGNATURE-----
========================FORWARDED TEXT ENDS HERE=============================
The National Institute of Standards and Technology (NIST) has
established a Federal Computer Incident response Capability (FedCIRC)
to assist federal civilians agencies in their incident handling
efforts by providing proactive and reactive computer security related
services. FedCIRC is a partnership among NIST, the Computer Incident
Advisory Capability (CIAC), and the CERT* Coordination Center
(CERT/CC).
If you believe that your system has been compromised, please contact
FedCIRC:
Telephone: +1 888 282 0870
Email: fedcirc@fedcirc.gov
Web Server: http://www.fedcirc.gov/
* Registered in U.S. Patent and Trademark Office
The CERT Coordination Center is part of the Software Engineering
Institute. The Software Engineering Institute is sponsored by the
U.S. Department of Defense.
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.