Pages in the Historical section of this site are provided for historical purposes, they are no longer maintained. Links may not work.

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Systems Compromised Through a Vulnerability in am-utils

Updated: December 9, 1999 (Added information about IN-99-07)
Friday, September 17, 1999

Overview

We have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in amd that is resulting in remote users gaining root access to victim machines.

The vulnerability we have seen exploited as a part of these attacks is:

Description

Reports of successful exploitations of the vulnerability in amd have included some or all of the following attack characteristics:

  • Generation of a syslog message as a result of the vulnerability in amd being exploited, similar to 

    xxx xx xx:xx:xx xxxxx amd[xxxx]: amq requested mount of
^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
xxx xx xx:xx:xx xxxxx amd[xxxx]: AMQ request from xxx.xxx.xxx.xxx DENIED

  • Addition of user accounts to /etc/passwd. Reports indicate the usernames bionic and foom are commonly added

  • Creation of a backdoor on port 1337/tcp using the file /tmp/bob as a configuration file for a second instance of /usr/sbin/inetd

  • Remote retrieval and installation of additional intruder tools, including root kits that contain replacements for various system binaries

  • Replacement versions of ssh and sshd installed and used by the intruder to gain access to compromised systems

  • Packet sniffer installed in "/dev/sda69/. /" (note the extra space)

In some cases, we have seen distributed denial of service tools installed on compromised machines. For more information, see

IN-99-07, Distributed Denial of Service Tools

Solutions

If you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise:

http://www.cert.org/tech_tips/root_compromise.html

We encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities. In particular, you may wish to review the following CERT advisory for suggested solutions:

We also encourage you to regularly review security related patches released by your vendors.

Copyright 1999 Carnegie Mellon University.

  • No labels


Pages in the Historical section of this site are provided for historical purposes, they are no longer maintained. Links may not work.