US-CERT Vulnerability Notes Database CERT Statistics Vulnerability Disclosure Policy CERT Knowledgebase Courses

CERT^® Incident Note IN-2000-10

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities

Date: Friday, September 15, 2000

Overview

Recent reports involving intruder exploitation of two vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts and toolkits to automate attacks.

Vulnerabilities we have commonly seen exploited as a part of these attacks include:

CA-2000-17, Input Validation Problem in rpc.statd

CA-2000-13, Two Input Validation Problems In FTPD

Of the two vulnerabilities discussed in CA-2000-13, the "Site exec" vulnerability is the one we are seeing exploited as a part of this activity.

Description

Sites involved in related incidents are reporting finding hosts compromised through one of these two vulnerabilities. In several cases, hundreds of compromised hosts have been involved in single incidents. Intruders appear to be using automated tools to probe for and exploit vulnerable hosts on a widespread scale.

A large majority of the compromised hosts involved in this activity have been running various versions of Red Hat Linux. Insecure default configurations in some versions, especially with respect to the vulnerable rpc.statd service often being enabled during automated installation and upgrade processes, have contributed to the widespread success of these attacks.

Intruders searching for vulnerable machines are performing widespread scanning for vulnerable systems across large blocks of address space. The scans target the following services:

sunrpc (e.g., portmap) on ports 111/udp and 111/tcp
ftp on port 21/tcp

In many cases, sites report receiving exploit attempts against both rpc.statd and wu-ftpd immediately after receiving probes. There is evidence to suggest intruders may be developing worm-like attack tools based on exploitations of rpc.statd and wu-ftpd.

Once hosts are compromised, there are several common patterns in the tools being installed by intruders.

't0rnkit' rootkit

Since May of 2000, we have observed more than six different versions of a rootkit being called 't0rnkit', or 'tornkit'. Rootkits are not a new idea and have been employed by intruders for several years. The important thing here is to be aware of the widespread nature of this particular activity and to insure compromised hosts are recovered using appropriate procedures and techniques. Various versions of 't0rnkit' include an installation script which attempts many of the following things

killing syslogd
alerting the intruder to remote logging facilities by searching the syslog configuration file for the '@' character
storing an intruder-supplied password for trojan horse programs in /etc/ttyhash
installing a trojan horse version of sshd configured to listen on an intruder-supplied port number with intruder-supplied SSH keys stored in a directory named '/usr/info/.t0rn'. The trojan horse binary is installed as /usr/sbin/nscd and started using '/usr/sbin/nscd -q'. The same command is appended to /etc/rc.d/rc.sysinit to start the daemon at system boot time.
locating trojan horse configuration files to hide file names, process names, etc. in a directory named '/usr/src/.puta'
replacing the following system binaries with trojan horse copies
- /bin/login
- /sbin/ifconfig
- /bin/ps
- /usr/bin/du
- /bin/ls
- /bin/netstat
- /usr/sbin/in.fingerd
- /usr/bin/find
- /usr/bin/top
installing a password sniffer, sniffer logfile parser, and system logfile cleaning tool in /usr/src/.puta
attempting to enable telnet, shell, and finger in /etc/inetd.conf by removing any leading '#' comment characters
alerting the intruder about the word 'ALL' appearing in /etc/hosts.deny
some versions attempt to patch rpc.statd and wu-ftpd with versions that are not vulnerable.
restarting /usr/sbin/inetd
starting syslogd

Most versions also include a trojan horse version of tcp_wrappers in RPM format named 'tcpd.rpm'. There is strong evidence that 't0rnkit' is undergoing active development at the time of this writing, so the exact composition of the rootkit may vary from this description over time.

Distributed Denial of Service Tools

In addition to the installation of rootkits, we have observed a significant increase in the installation of distributed denial of service (DDoS) tools on hosts compromised through these two vulnerabilities. In one incident, we recorded over 560 hosts at 220 Internet sites around the world as being a part of a Tribe Flood Network 2000 (TFN2K) DDoS network. The hosts we were able to identify were compromised via either the rpc.statd or wu-ftpd vulnerabilities. We have commonly seen the following DDoS tools installed by intruders.

Tribe Flood Network (TFN) - see
IN-99-07, Distributed Denial of Service Tools
Tribe Flood Network 2000 (TFN2K) - see
CA-99-17, Denial-of-Service Tools
Stacheldraht 1.666+smurf+yps - modified version of the tool discussed in
CA-2000-01 Denial-of-Service Developments

For more information about distributed denial of service attacks, please see

Impact

The combination of widespread, automated exploitation of two common vulnerabilities and an associated increase in distributed denial of service tool installation poses a significant threat to Internet sites and the Internet infrastructure.

Solutions

The CERT/CC encourages all Internet sites to review the rpc.statd advisory (CA-2000-17) and the wu-ftpd advisory (CA-2000-13) and insure workarounds or patches have been applied on all affected hosts on your network.

If you believe your host has been compromised, please follow the steps outlined in

Steps for Recovering From a Root Compromise

Author: Kevin Houle

This document is available from: http://www.cert.org/incident_notes/IN-2000-10.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

CERT® Incident Note IN-2000-10