The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities</h2>
Date: Friday, September 15, 2000<p>
<p>
<h3>Overview</h3>
Recent reports involving intruder exploitation of two vulnerabilities
have involved very similar intruder activity. The level of activity
and the scope of the attacks suggests that intruders are using scripts
and toolkits to automate attacks.
<p>
Vulnerabilities we have commonly seen exploited as a part of these
attacks include:
<p>
<dl>
<dd><a href="/advisories/CA-2000-17.html">CA-2000-17</a>,
Input Validation Problem in rpc.statd
<dd><a href="/advisories/CA-2000-13.html">CA-2000-13</a>,
Two Input Validation Problems In FTPD
</dd></dd></dl>
<p>
Of the two vulnerabilities discussed in CA-2000-13, the "Site exec"
vulnerability is the one we are seeing exploited as a part of this
activity.
<h3>Description</h3>
Sites involved in related incidents are reporting finding hosts
compromised through one of these two vulnerabilities. In several
cases, hundreds of compromised hosts have been involved in single
incidents. Intruders appear to be using automated tools to probe for
and exploit vulnerable hosts on a widespread scale.
<p>
A large majority of the compromised hosts involved in this activity
have been running various versions of Red Hat Linux. Insecure default
configurations in some versions, especially with respect to the
vulnerable rpc.statd service often being enabled during automated
installation and upgrade processes, have contributed to the widespread
success of these attacks.
<p>
Intruders searching for vulnerable machines are performing widespread
scanning for vulnerable systems across large blocks of address space.
The scans target the following services:
<p>
<ul>
<li>sunrpc (e.g., portmap) on ports 111/udp and 111/tcp
<li>ftp on port 21/tcp
</li></li></ul>
<p>
In many cases, sites report receiving exploit attempts against both
rpc.statd and wu-ftpd immediately after receiving probes. There is
evidence to suggest intruders may be developing worm-like attack tools
based on exploitations of rpc.statd and wu-ftpd.
<p>
Once hosts are compromised, there are several common patterns in the
tools being installed by intruders.
<p>
<b>'t0rnkit' rootkit</b>
<p>
Since May of 2000, we have observed more than six different versions
of a rootkit being called 't0rnkit', or 'tornkit'. Rootkits are not a
new idea and have been employed by intruders for several years. The
important thing here is to be aware of the widespread nature of this
particular activity and to insure compromised hosts are recovered
using appropriate procedures and techniques. Various versions of
't0rnkit' include an installation script which attempts many of the
following things
<p>
<ul>
<li>killing syslogd
<li>alerting the intruder to remote logging facilities by searching
the syslog configuration file for the '@' character
<li>storing an intruder-supplied password for trojan horse programs in /etc/ttyhash
<li>installing a trojan horse version of sshd configured to listen on an
intruder-supplied port number with intruder-supplied SSH keys stored
in a directory named '/usr/info/.t0rn'. The trojan horse binary is
installed as /usr/sbin/nscd and started using '/usr/sbin/nscd -q'.
The same command is appended to /etc/rc.d/rc.sysinit to start the
daemon at system boot time.
<li>locating trojan horse configuration files to hide file names, process
names, etc. in a directory named '/usr/src/.puta'
<li>replacing the following system binaries with trojan horse copies<br/>
<ul>
<li>/bin/login
<li>/sbin/ifconfig
<li>/bin/ps
<li>/usr/bin/du
<li>/bin/ls
<li>/bin/netstat
<li>/usr/sbin/in.fingerd
<li>/usr/bin/find
<li>/usr/bin/top
</li></li></li></li></li></li></li></li></li></ul>
<li>installing a password sniffer, sniffer logfile parser, and system
logfile cleaning tool in /usr/src/.puta
<li>attempting to enable telnet, shell, and finger in /etc/inetd.conf
by removing any leading '#' comment characters
<li>alerting the intruder about the word 'ALL' appearing in /etc/hosts.deny
<li>some versions attempt to patch rpc.statd and wu-ftpd with versions
that are not vulnerable.
<li>restarting /usr/sbin/inetd
<li>starting syslogd
</li></li></li></li></li></li></li></li></li></li></li></li></ul>
<p>
Most versions also include a trojan horse version of tcp_wrappers in
RPM format named 'tcpd.rpm'. There is strong evidence that 't0rnkit'
is undergoing active development at the time of this writing, so the
exact composition of the rootkit may vary from this description over
time.
<p>
<b>Distributed Denial of Service Tools</b>
<p>
In addition to the installation of rootkits, we have observed a
significant increase in the installation of distributed denial of
service (DDoS) tools on hosts compromised through these two
vulnerabilities. In one incident, we recorded over 560 hosts at 220
Internet sites around the world as being a part of a Tribe Flood
Network 2000 (TFN2K) DDoS network. The hosts we were able to identify
were compromised via either the rpc.statd or wu-ftpd vulnerabilities.
We have commonly seen the following DDoS tools installed by intruders.
<p>
<ul>
<li>Tribe Flood Network (TFN) - see <p>
<a href="/incident_notes/IN-99-07.html">IN-99-07</a>,
Distributed Denial of Service Tools<p>
<li>Tribe Flood Network 2000 (TFN2K) - see <p>
<a href="/advisories/CA-99-17-denial-of-service-tools.html">CA-99-17</a>,
Denial-of-Service Tools<p>
<li>Stacheldraht 1.666+smurf+yps - modified version of the tool discussed in<p>
<a href="/advisories/CA-2000-01.html">CA-2000-01</a>
Denial-of-Service Developments<p>
</p></p></li></p></p></li></p></p></li></ul>
<p>
For more information about distributed denial of service attacks,
please see
<p>
<ul>
<li><a href="/reports/dsit_workshop-final.html">
Results of the Distributed-Systems Intruder Tools Workshop - HTML format</a><p>
<li><a href="/reports/dsit_workshop.pdf">
Results of the Distributed-Systems Intruder Tools Workshop - PDF format</a><p>
</p></li></p></li></ul>
<p>
<h3>Impact</h3>
<p>
The combination of widespread, automated exploitation of two common
vulnerabilities and an associated increase in distributed denial of
service tool installation poses a significant threat to Internet sites
and the Internet infrastructure.
<p>
<h3>Solutions</h3>
<p>
The CERT/CC encourages all Internet sites to review the rpc.statd
advisory (<a href="/advisories/CA-2000-17.html">CA-2000-17</a>) and
the wu-ftpd advisory
(<a href="/advisories/CA-2000-13.html">CA-2000-13</a>) and insure
workarounds or patches have been applied on all affected hosts on your
network.
<p>
If you believe your host has been compromised, please follow the steps
outlined in
<p>
<dl>
<dd><a href="/tech_tips/root_compromise.html">
Steps for Recovering From a Root Compromise</a></dd>
</dl>
<p>
<b>Author: </b><a href="mailto:cert@cert.org?subject=IN-2000-10%20Feedback">Kevin Houle</a><br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2000 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p> |