[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: recent breakins and things to look out for



In case anyone hasn't seen it, there is a serious security vulnerablility in
named.  I personally know somebody who was hacked using this method.  Named is
often installed as a default, so even if you are not running DNS services, it
would be a good idea to check if named is running.  This hack gives the user
root access to your system.  Here is the CERT Advisory that was sent out.

Mark Thompson

bject:
             CERT Advisory CA-2000-03
        Date:
             Wed, 26 Apr 2000 15:30:02 -0400 (EDT)
       From:
             CERT Advisory <cert-advisory cert org>
    Reply-To:
             cert-advisory-request cert org
 Organization:
             CERT(R) Coordination Center - +1 412-268-7090
         To:
             cert-advisory cert org




-----BEGIN PGP SIGNED MESSAGE-----

CERT(r) Advisory CA-2000-03 Continuing Compromises of DNS servers

   Original release date: April 26, 2000
   Last revised: April 26, 2000
   Source: CERT/CC

Systems Affected

     * Systems running various vulnerable versions of BIND (including on
       machines where the system administrator does not realize a DNS
       server is running)

Overview

   This CERT Advisory addresses continuing compromises of machines
   running the Domain Name System (DNS) server software that is part of
   BIND ("named"), including compromises of machines that are not being
   used as DNS Servers. The Advisory also reports that a significant
   number of delegated(*) DNS servers in the in-addr.arpa tree are running
   outdated versions of DNS software, and urges system and network
   administrators to ensure that they are up-to-date with DNS security
   patches and workarounds.
   ______________________________________________________________________

   The CERT Coordination Center has received reports of continuing
   activity indicating that intruders are targeting machines running
   vulnerable versions of "named" . We continue to receive regular, daily
   reports that sites running unpatched, vulnerable versions of "named"
   have been compromised. CERT Advisory CA-99-14 "Multiple
   Vulnerabilities in BIND" describes the BIND NXT record privileged
   compromise vulnerability that is being exploited. We encourage you to
   review this advisory and to apply the appropriate patches if you have
   not done so already. The advisory is available at

     http://www.cert.org/advisories/CA-99-14-bind.html

   Some sites with compromised systems have found one of the following
   empty directories on systems where the NXT record vulnerability was
   successfully exploited:

     /var/named/ADMROCKS
     /var/named/O

   Other artifacts that are commonly found include
     * inetd started with an intruder-supplied configuration file in /tmp
       that provides a backdoor into the system
     * modified /etc/inittab and/or system startup files to load intruder
       processes at boot time
     * Trojan horse versions of sshd and /bin/login designed to provide a
       backdoor into a compromised system
     * complete rootkits that include Trojan horse replacements for
       system binaries, sniffers, denial-of-service tools, vulnerability
       scanners, exploits, etc.
     * newer versions of BIND

   Compromised systems are commonly used to search for and attack other
   potentially vulnerable systems.

   In many of the reports of DNS server compromises, compromised machines
   running DNS server software were not being used as DNS servers. The
   DNS server software was running because it was installed by default
   (unknowingly in many cases) when the machines were configured. This
   software was not up to date with security patches and workarounds; and
   since the system administrators were not planning to have the machines
   operate as DNS servers, they did not ensure the software was up to
   date, or simply disable the DNS server software on the machine. We
   encourage system and network administrators to disable DNS server
   software, and other services, on machines where the services are not
   needed.

   We have also received information from Bill Manning of the USC/ISI
   concerning DNS servers running vulnerable versions of domain name
   server software. Since 1997, Bill Manning sweeps the inverse tree
   (in-addr.arpa) on a quarterly basis to verify the accuracy of
   delegations within that hierarchy. Using the first quarter survey
   results, he compiled a list of what version of DNS server software
   the servers were running. Of the responding DNS servers that are
   delegated(*) DNS servers for the in-addr.arpa zone, more than 50%
   of these DNS servers were running older, vulnerable versions of
   BIND (any vulnerabilities, not just the NXT vulnerability). This is
   significant because the compromise of DNS servers that are
   delegated DNS servers can have impact on the security of other
   organizations in addition to the organization operating the DNS
   server.

   A copy of the survey results are available at

     http://www.isi.edu/~bmanning/in-addr-audit.html

   Based on the number of older versions being run, and the rate of
   compromises, we believe the number of DNS servers running older,
   vulnerable versions of BIND have not significantly decreased since the
   survey was published.

   We encourage DNS server operators to ensure that their DNS server
   software is up to date with the most recent versions of the DNS server
   software and that all security patches and workarounds have been
   applied.


   delegated DNS server: a delegated DNS is a DNS server that is assigned
   responsibility for responding to requests for a portion of the DNS
   hierarchy. For more information on delegation, see the section on
   delegation in DNS and BIND third edition, by Paul Albitz and Cricket
   Liu, O'Reilly and Associates, 1998.


   Advisory Author: Jeffrey J. Carpenter
     _________________________________________________________________

   The CERT Coordination Center thanks Bill Manning, USC/ISI, for
   providing information used in this CERT Advisory.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2000-03.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert cert org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request cert org and include SUBSCRIBE
   your-email-address in the subject of your message.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Copyright 2000 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBOQczV1FO4fmE3w/VAQGHkwP/T1+ButWqbRGeV/IQIua2C2GvdCE1cf0Z
tf86WNkXbUogFu6iHzVZZ/G/tPri0iGKVRd5r6kniCAy3l9fXa6jHGYIRRP7M93U
Q6Dd673NK17yosgMJzXrCsgjMBq3jv7KlKZ3zF0N1Ta7eMBhbL7fQasTtee4M/tn
O0rtMDKlw4U=
=UZWx
-----END PGP SIGNATURE-----



> On Wed, Apr 26, 2000 at 11:09:22AM -0700, Andrew Morgan wrote:
> > [In the majority of cases that I was able to follow up with, this was
> > related to a malicious attack: /bin/login and /usr/bin/passwd were
> > replaced with 'intruder friendly ones'.
>
> I investigated such a break-in a couple of days ago on an OpenLinux
> box. It appears that the intruders did not alter the RPM package database
> so it was quite simple to pin down what files got changed. I cannot
> tell exactly because the machine's owner had already partly restored
> it. I did however notice that login had been replaced, as well as
> crond and crontab. The attackers did leave parts of an intrusion kit
> in some subdirectory of /dev.
>
> During an earlier attack on that machine, attackers had also installed
> a network sniffer as /usr/sbin/rpc.nlsd, that was writing its log
> info to another subdirectory of /dev.
>
> > My advice so far has been and will continue
> > to be "reinstall your system from CD and be sure to install all of the
> > available updates", but this is not always well received.]
>
> That's my advice as well.
>
> Olaf
> --
> Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
> okir monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
> okir caldera de    +-------------------- Why Not?! -----------------------
>          UNIX, n.: Spanish manufacturer of fire extinguishers.
>
> --
> To unsubscribe: mail -s unsubscribe pam-list-request redhat com < /dev/null



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]