Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
CERT Summary CS-98.05
- From: Jeff Ogden
- Date: Fri May 29 21:07:31 1998
FYI
-Jeff
>Date: Thu, 28 May 1998 20:16:25 -0400
>From: CERT Advisory <cert-advisory@cert.org>
>To: cert-advisory@coal.cert.org
>Subject: CERT Summary CS-98.05
>Reply-To: cert-advisory-request@cert.org
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>Status: U
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>- ---------------------------------------------------------------------------
>CERT* Summary CS-98.05 - SPECIAL EDITION
>May 28, 1998
>
>
>This special edition of the CERT Summary reports new types of exploit methods
>related to those discussed in CS-98.04. Special Edition CERT Summary CS-98.04
>is available at
>
> ftp://ftp.cert.org/pub/cert_summaries/CS-98.04
>
>All of these attacks occur on machines running "named" (domain name server
>software, part of BIND).
>
>
>Past CERT Summaries are available from
> ftp://ftp.cert.org/pub/cert_summaries/
>- ---------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports of new kinds of intruder
>activity indicating that intruders are targeting machines running vulnerable
>versions of "named" (domain name server software that is part of
>BIND). Thousands of sites running unpatched, vulnerable versions of "named"
>are known to have been compromised through exploit methods discussed here and
>in CS-98.04.
>
>Most of the compromised machines reported to us have been Intel-based machines
>running Linux; however, machines of other architectures running vulnerable
>versions of "named" have had their "named" processes crash.
>
>While intruders appear to be using tools that exploit this vulnerability on
>Intel-based machines, it would not be difficult for intruders to adapt
>existing tools to exploit the vulnerability on other architectures.
>
>We encourage you to review CERT Advisory CA-98.05, which describes the BIND
>inverse query vulnerability that is being exploited, and to apply the
>appropriate patches if you have not done so already. The advisory is available
>at
>
> http://www.cert.org/advisories/CA-98.05.bind_problems.html
>
>Since the creation of the CERT/CC nearly 10 years ago, part of our mission has
>been and is to facilitate communications between affected sites and law
>enforcement agencies. The CERT/CC has been informed by the FBI (Federal Bureau
>of Investigation) that they are actively investigating compromises related to
>this special edition CERT summary. The FBI is seeking information from
>affected sites on the exploitation of these vulnerabilities. If you would like
>to report activities at your site to the FBI, please contact the FBI at
>
> phone: +1 202 324 6715
> email: nipc.watch@fbi.gov
>
>or the CERT/CC.
>
>Description of New Attack Methods
>- ---------------------------------
>In addition to the current attacks described in CS-98.04, other toolkits have
>been discovered, including one with the potential to be self-replicating. The
>self-replicating tool does not replicate by default.
>
>Sites that have applied patches or upgraded to a version of "named" that is
>not vulnerable to the inverse query vulnerability (described in CA-98.05) are
>not vulnerable to this attack method.
>
>Currently, this toolkit attempts to compromise a machine using the bind
>inverse query vulnerability. If the exploitation attempt is successful, it can
>
> - Create a blank line in the password file and add the user
> "w0rm" to the password file (with no password)
>
> - Create a root setuid version of the shell (/bin/sh)
> in /tmp/.w0rm
>
> - Remove the file /etc/hosts.deny
>
> - Restart "named" (because the exploit of the buffer overflow
> will cause "named" to crash)
>
> - Create the file /tmp/.X11x with an html page. The toolkit
> also attempts to look for index.html files located on the
> file system of the compromised machine and attempts to
> alter them. This attempt fails in the toolkit as it is
> currently distributed.
>
> - Create the directory /tmp/.w0rm0r and the file /tmp/w0rmishere
>
> - Get the tar file called ADMw0rm.tgz via ftp from the
> previously compromised machine, unpack it, and place it in
> /tmp/.w0rm0r.
>
> - Execute the ADMw0rm command from the downloaded archive
>
> - Send via email the IP address of the local machine to
> an external email address
>
> - Remove any logs located in /var/log/* and the file /tmp/.w0rm
>
>The order in which these steps are performed might vary, and all steps might
>not be performed in all compromises.
>
>In other attack methods, we are seeing intruders compromise machines running
>vulnerable versions of "named"; as part of the exploit they open xterm windows
>from the compromised machine, displaying back to the intruder's machine. The
>intruder then has a privileged interactive session on the compromised machine.
>
>What to Look for
>- ----------------
>In addition to the items listed in CERT Summary CS-98.04, you should look for
>the following to help you detect this specific activity:
>
> - Accounts and blank lines added to the password file
>
> - Logins to unauthorized accounts (accounts created by the
> intruder)
>
> - The deletion of log files or the hosts.deny file
>
> - Crashes or restarts of "named"
>
> - The existence of the files or directories:
> /tmp/.w0rm
> /tmp/.w0rm0r
> /tmp/w0rmishere
> ADMw0rm.tgz
>
> - Unauthorized replacement of index.html files
>
> - xterm connections originating from internal machines
> displaying on remote machines
>
>If you determine that your systems might have been root compromised as a
>result of this activity, we recommend that you disconnect the affected host
>from the network and encourage you to refer to the "Recovering from an
>Incident" web page available at
>
> http://www.cert.org/nav/recovering.html
>
>
>- ---------------------------------------------------------------------------
>How to Contact the CERT Coordination Center
>
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
> cert-advisory-request@cert.org
>In the subject line, type
> SUBSCRIBE your-email-address
>
>CERT advisories and bulletins are posted on the USENET news group
> comp.security.announce
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available for anonymous FTP from
> http://www.cert.org/
> ftp://ftp.cert.org/pub/
>
>If you wish to send sensitive incident or vulnerability information to CERT
>staff by electronic mail, we strongly advise you to encrypt your message.
>We can support a shared DES key or PGP. Contact the CERT staff for more
>information.
>
>Location of CERT PGP key
> ftp://ftp.cert.org/pub/CERT_PGP.key
>
>- ---------------------------------------------------------------------------
>
>Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
>and sponsorship information can be found in
>http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
>If you do not have FTP or web access, send mail to cert@cert.org with
>"copyright" in the subject line.
>
>* CERT is registered in the U.S. Patent and Trademark Office.
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNW3ntHVP+x0t4w7BAQEEHAQAs5+aAXexLEomkMrQVzleDjaLa3PnZ46E
>t8RZlALGVL18fcNQ/ekvuLs10BumyjZmyNFjDEYTpf7ILy99ZxjaWNGd8JQUOLod
>Gy0ghpfqieo2bVbd4RC/JJfSWbp4+jS/Ck+BSKeXC5zYufnOC3X2czBNJizY700H
>kdp49tjEHMs=
>=XXw2
>-----END PGP SIGNATURE-----
>
|
