************************************************************************** Security Bulletin 9810 DISA Defense Communications System May 22, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- CERT* Summary CS-98.04 - SPECIAL EDITION May 21, 1998 This special edition of the CERT Summary reports increasing attacks on machines running "named" (domain name server software, part of BIND). Past CERT Summaries are available from ftp://ftp.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- The CERT Coordination Center has received reports of increasing intruder activity indicating that intruders are targeting machines running vulnerable versions of "named" (domain name server software that is part of BIND). Many sites running unpatched, vulnerable versions of "named" have been compromised. We encourage you to review CERT Advisory CA-98.05, which describes the BIND buffer overflow vulnerability that is being exploited, and to apply the appropriate patches if you have not done so already. The advisory is available at http://www.cert.org/advisories/CA-98.05.bind_problems.html Some operating system distributions have the vulnerable version of "named" installed and enabled by default. When you are installing an operating system on a machine, ensure that the version of the operating system you use contains a patch for this problem; if your operating system is vulnerable and does not contain a patch, immediately apply the patch after you install the operating system. For more information about which operating systems have vulnerable versions of "named", see CA-98.05. Increasing Intruder Activity - ---------------------------- Intruders are increasingly scanning networks for machines running vulnerable versions of "named". This increased activity in "named" is consistent with trends we have seen with previous vulnerabilities; in these cases, intruders have launched widespread scans to look for machines running vulnerable IMAP servers or web servers with the "phf" vulnerability, and then exploited the vulnerability on those machines. While we have had many reported incidents involving the exploitation of "named", at least one incident appears to involve widespread attacks against authoritative domain name servers. Description of Some Current Attacks - ----------------------------------- In some incidents reported to us, it appears that after the "named" server is compromised, the intruder runs a script that - telnets to another host (potentially the host launching the attack) on port 666 - obtains an intruder tool archive named "hide" via ncftp or ftp - unpacks and installs the contents of the "hide" archive This "hide" archive includes the following Trojan horse programs: ifconfig inetd ls named netstat ps pstree syslogd tcpd top The Trojan horse "named" program appears to contain a back door that allows the intruder to open an xterm window from the compromised host back to the intruder's system. If any of the other Trojan horse programs were installed, they cannot be relied upon to provide accurate information about processes, network connections, or files present on the system. The "hide" archive also contains several other intruder tools and configuration files including /dev/reset /dev/pmcf1 /dev/pmcf2 /dev/pmcf3 /dev/pmcf4 fix The "/dev/reset" program appears to be a sniffer program that captures and logs cleartext passwords transmitted over the local area network. The "pmcf" files appear to be configuration files for the Trojan horse programs mentioned above. "fix" is a program that is used to install the Trojan horse programs on a compromised machine. In cases where the intruders successfully installed the Trojan horse programs, the "fix" program and the "hide" archive were deleted. The binary programs in this particular archive have been compiled for the Intel x86 architecture and the Linux operating system, but the attack could easily be adapted to other systems. Vulnerable "named" servers other than ones on Linux may abort and dump core if an intruder attempts to use the specific exploit designed for the Intel x86 architecture. This means that a core file for a domain name server may indicate a specific failed attempt to compromise the domain name server, but the domain name server could still be successfully compromised with the use of a different intruder exploit script. Look for Compromise on Your Systems - ----------------------------------- To determine whether or not your system has been compromised by an intruder, we encourage you to follow the steps identified in our Intruder Detection Checklist, available at ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist Suggestions for detecting this specific activity include - Compare the MD5 checksums for the files listed above with the MD5 checksums from versions that are known to be correct. - Look for the sniffer program "/dev/reset", the "/dev/pmcf*" configuration files and the sniffer output file, which in many incidents has been "/usr/lib/libsn.a". - Check to see if your system log contains messages like May 1 11:28:49 named[28464]: starting. named LOCAL-980501.020913 Fri May 1 02:09:13 EDT 1998 ^Iroot@:/usr/lib/tntbot/bind/named This message may indicate that you are running a Trojan horse version of "named". - Investigate any unexpected crashes or restarts of the named and "inetd" daemons occurring recently, especially since April 27, 1998. The intruder's installation script kills these daemons and then restarts them with the new Trojan horse versions. - Examine core dumps from recently crashed "named" servers. Some of the sites attacked have reported that their core files contain portions of the exploit script used in this attack. Sites that have reported such crashes appear to be running operating systems other than Linux. In these cases, it is possible that the intruder was not successful in compromising the machine. However, the "named" server is still potentially vulnerable and could be compromised successfully in a different attempt. - The .ncftp file in root's home directory may contain information showing unexpected ftp file transfers. If you determine that your systems may have been root compromised as a result of this activity, we encourage you to refer to the "Recovering from an Incident" web page available at http://www.cert.org/nav/recovering.html - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer on business days 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://ftp.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. * CERT is registered in the U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNWR4gnVP+x0t4w7BAQF/wQP/QxT1ZApG3SLWndRQ0svlEFV5OVo22bWX H+61HPAn7h5dLsk1hMzer5Nvi1SpOT2aT9gFtb4tTHiaJ/E9NazWB2QBSXNDhMEz p5+rbSiPvEsbRjysRQhzaG6GC2bib7tsaozGUka/XAKEjtJeJxzlZk++9AFkvtMp QQzljs3cPd4= =iQy0 -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.