CERT-SEI

Widespread Compromises via "ramen" Toolkit

Date: Thursday, January 18, 2001

Overview

The CERT/CC has received reports from sites that have recovered an intruder toolkit called 'ramen' from compromised hosts. Ramen has been discussed in several public forums and the toolkit is publicly available. Ramen exploits one of several known vulnerabilities and contains a mechanism to self-propagate.

Description

Ramen is a collection of tools designed to attack systems by exploiting well-known vulnerabilities in three commonly installed software packages. A successful exploitation of any of the vulnerabilities results in a privileged (root) compromise of the victim host.

The services and specific vulnerabilities targeted are

When a host is compromised, the ramen toolkit is automatically copied to the compromised host, installed in "/usr/src/.poop", and started. The ramen toolkit is controlled by a series of shell scripts that make modifications to the compromised system and initiate attacks on other systems. Several notable system modifications are made in sequence after ramen is started.

  • All 'index.html' files on the system are replaced with an intruder-supplied 'index.html' file
  • The system file '/etc/hosts.deny' is deleted
  • The file '/usr/src/.poop/myip' is created and contains an IP address for the local system
  • A script is added to the end of '/etc/rc.d/rc.sysinit' to initiate scanning and exploitation during system startup
  • For systems with '/etc/inetd.conf'
    • an intruder supplied program is added as '/sbin/asp'. A service named 'asp' is added to '/etc/inetd.conf' and inetd is sent a signal to reload the configuration file. This causes inetd to listen on TCP socket number 27374 for incoming connections.
    • usernames 'ftp' and 'anonymous' are added to '/etc/ftpusers'
    • services 'rpc.statd' and 'rpc.rstatd' are terminated
    • the system files '/sbin/rpc.statd' and '/usr/sbin/rpc.statd' are deleted
  • For systems without '/etc/inetd.conf'
    • an intruder-supplied program is added as '/usr/sbin/asp'. A service named 'asp' is added to '/etc/xinetd.d' and xinetd is sent a signal to reload it's configuration. This causes xinetd to listen on TCP socket number 27374 for incoming connections.
    • the 'lpd' service is terminated
    • the system file '/usr/sbin/lpd' is deleted and replaced with an empty file
    • usernames 'ftp' and 'anonymous' are added to '/etc/ftpusers'

After modifying the local system, ramen initiates scanning and exploitation attempts against external systems on a widespread basis. The scanning and exploitation operations are executed, to some degree, in parallel. The time between a probe and an exploit attempt may be relatively short.

Successful exploitation results in the target host being root compromised. In addition, several actions are automatically taken on the newly compromised host that result in ramen being propagated from the attacker to the victim.

  • the directory '/usr/src/.poop' is created on the victim host
  • the 'ramen.tgz' toolkit is copied from '/tmp/ramen.tgz' on the attacking host to '/usr/src/.poop/ramen.tgz' on the victim host
  • 'ramen.tgz' is copied to '/tmp/ramen.tgz' on the victim host
  • 'ramen.tgz' is unpacked in '/usr/src/.poop' and the controlling shell script is started

The method of propagation is provided by the intruder-supplied 'asp' service. It receives connections on TCP port 27374 of the attacking host and responds by sending a copy of '/tmp/ramen.tgz' to the victim host.

Impact

Vulnerable systems that are not current with vendor security patches are at risk for being root compromised via the ramen toolkit. Compromised systems may be subject to web-related files and system files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

The widespread, automated attack and propagation characteristics of ramen may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where ramen is running.

Solutions

The CERT/CC encourages Internet users and sites to ensure systems are up to date with current vendor security patches or workarounds for known security vulnerabilities. For more information, please see the related CERT advisories:

In the absence of fully patched and secured systems, one short-term mitigation strategy is to prevent propagation through packet filtering. Using packet filters to block outbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts within your network from acquiring ramen from external hosts and further propagating it. Using packet filters to block inbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts outside of your network from acquiring ramen from internal hosts and further propagating it. Using packet filters, or IDS signatures, with logging may also provide a quick means of identifying hosts within your network that may have been compromised by ramen.

Please note that packet filtering on specific ports is a nonsustainable strategy because usage of specific port numbers by intruder tools can and does change over time.

If you believe your host has been compromised, please follow the steps outlined in

Steps for Recovering From a Root Compromise

Author: Kevin Houle

Copyright 2001 Carnegie Mellon University.