The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>Systems Compromised Through a Vulnerability in am-utils</h2> Updated: December 9, 1999 (Added information about IN-99-07)<br/> Friday, September 17, 1999 <p> <h3>Overview</h3> We have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in <i>amd</i> that is resulting in remote users gaining root access to victim machines. <p> The vulnerability we have seen exploited as a part of these attacks is: <p> <ul> <li>CA-99-12, Buffer Overflow in amd<p> <a href="http://www.cert.org/advisories/CA-99-12-amd.html"> http://www.cert.org/advisories/CA-99-12-amd.html</a> </p></li></ul> <h3>Description</h3> Reports of successful exploitations of the vulnerability in <i>amd</i> have included some or all of the following attack characteristics: <p> <ul> <li>Generation of a syslog message as a result of the vulnerability in <i>amd</i> being exploited, similar to <p> <pre> xxx xx xx:xx:xx xxxxx amd[xxxx]: amq requested mount of ^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P xxx xx xx:xx:xx xxxxx amd[xxxx]: AMQ request from xxx.xxx.xxx.xxx DENIED </pre> <p> <li>Addition of user accounts to /etc/passwd. Reports indicate the usernames <i>bionic</i> and <i>foom</i> are commonly added <p> <li>Creation of a backdoor on port 1337/tcp using the file /tmp/bob as a configuration file for a second instance of /usr/sbin/inetd <p> <li>Remote retrieval and installation of additional intruder tools, including root kits that contain replacements for various system binaries <p> <li>Replacement versions of ssh and sshd installed and used by the intruder to gain access to compromised systems <p> <li>Packet sniffer installed in "/dev/sda69/. /" (note the extra space) </li></p></li></p></li></p></li></p></li></p></p></li></ul> <p> In some cases, we have seen distributed denial of service tools installed on compromised machines. For more information, see <p> <dl> <dd><a href="http://www.cert.org/incident_notes/IN-99-07.html"> IN-99-07</a>, Distributed Denial of Service Tools </dd></dl> <p> <h3>Solutions</h3> If you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise: <p> <dl> <dd><a href="http://www.cert.org/tech_tips/root_compromise.html"> http://www.cert.org/tech_tips/root_compromise.html</a> </dd></dl> <p> We encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities. In particular, you may wish to review the following CERT advisory for suggested solutions: <p> <ul> <li>CA-99-12, Buffer Overflow in amd<p> <a href="http://www.cert.org/advisories/CA-99-12-amd.html"> http://www.cert.org/advisories/CA-99-12-amd.html</a> </p></li></ul> <p> We also encourage you to regularly review security related patches released by your vendors. <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 1999 Carnegie Mellon University.</p> </p></p></p></p></p></p></p></p></p></p></p> |