Systems Compromised Through a Vulnerability in am-utils
Updated: December 9, 1999 (Added information about IN-99-07)Friday, September 17, 1999
Overview
We have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in amd that is resulting in remote users gaining root access to victim machines.The vulnerability we have seen exploited as a part of these attacks is:
- CA-99-12, Buffer Overflow in amd
Description
Reports of successful exploitations of the vulnerability in amd have included some or all of the following attack characteristics:
- Generation of a syslog message as a result of the vulnerability
in amd being exploited, similar to
xxx xx xx:xx:xx xxxxx amd[xxxx]: amq requested mount of ^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P xxx xx xx:xx:xx xxxxx amd[xxxx]: AMQ request from xxx.xxx.xxx.xxx DENIED
- Addition of user accounts to /etc/passwd. Reports indicate the
usernames bionic and foom are commonly added
- Creation of a backdoor on port 1337/tcp using the file /tmp/bob as
a configuration file for a second instance of /usr/sbin/inetd
- Remote retrieval and installation of additional intruder tools, including
root kits that contain replacements for various system binaries
- Replacement versions of ssh and sshd installed and used by the
intruder to gain access to compromised systems
- Packet sniffer installed in "/dev/sda69/. /" (note the extra space)
In some cases, we have seen distributed denial of service tools installed on compromised machines. For more information, see
- IN-99-07, Distributed Denial of Service Tools
Solutions
If you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise:
We encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities. In particular, you may wish to review the following CERT advisory for suggested solutions:
- CA-99-12, Buffer Overflow in amd
We also encourage you to regularly review security related patches released by your vendors.
Copyright 1999 Carnegie Mellon University.