View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Systems Compromised Through a Vulnerability in am-utils</h2>

Updated: December 9, 1999 (Added information about IN-99-07)<br/>
Friday, September 17, 1999
<p>
<h3>Overview</h3>

We have received reports of intruder activity involving the am-utils
package. Reports submitted to the CERT/CC indicate that intruders are
actively exploiting a vulnerability in <i>amd</i> that is resulting in
remote users gaining root access to victim machines.
<p>
The vulnerability we have seen exploited as a part of these attacks is:
<p>
<ul>
<li>CA-99-12, Buffer Overflow in amd<p>
<a href="http://www.cert.org/advisories/CA-99-12-amd.html">
    http://www.cert.org/advisories/CA-99-12-amd.html</a>
</p></li></ul>
<h3>Description</h3>

Reports of successful exploitations of the vulnerability in <i>amd</i>
have included some or all of the following attack characteristics:
<p>
<ul>
<li>Generation of a syslog message as a result of the vulnerability
in <i>amd</i> being exploited, similar to
<p>
<pre>
xxx xx xx:xx:xx xxxxx amd[xxxx]: amq requested mount of
^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
xxx xx xx:xx:xx xxxxx amd[xxxx]: AMQ request from xxx.xxx.xxx.xxx DENIED
</pre>
<p>
<li>Addition of user accounts to /etc/passwd. Reports indicate the
usernames <i>bionic</i> and <i>foom</i> are commonly added
<p>
<li>Creation of a backdoor on port 1337/tcp using the file /tmp/bob as
a configuration file for a second instance of /usr/sbin/inetd
<p>
<li>Remote retrieval and installation of additional intruder tools, including
root kits that contain replacements for various system binaries
<p>
<li>Replacement versions of ssh and sshd installed and used by the
intruder to gain access to compromised systems
<p>
<li>Packet sniffer installed in "/dev/sda69/. /" (note the extra space)
</li></p></li></p></li></p></li></p></li></p></p></li></ul>
<p>

In some cases, we have seen distributed denial of service tools
installed on compromised machines. For more information, see
<p>
<dl>
<dd><a href="http://www.cert.org/incident_notes/IN-99-07.html">
    IN-99-07</a>, Distributed Denial of Service Tools
</dd></dl>
<p>
<h3>Solutions</h3>

If you believe a host has been compromised, we encourage you to
disconnect the host from the network and review our steps for
recovering from a root compromise:
<p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/root_compromise.html">
http://www.cert.org/tech_tips/root_compromise.html</a>
</dd></dl>
<p>
We encourage you to ensure that your hosts are current with security
patches or work-arounds for well-known vulnerabilities. In particular,
you may wish to review the following CERT advisory for suggested
solutions:
<p>
<ul>
<li>CA-99-12, Buffer Overflow in amd<p>
<a href="http://www.cert.org/advisories/CA-99-12-amd.html">
    http://www.cert.org/advisories/CA-99-12-amd.html</a>
</p></li></ul>
<p>
We also encourage you to regularly review security related patches
released by your vendors.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p>