CERT® Incident Note IN-98-06The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Automated Scanning and ExploitationWednesday, December 9, 1998
The CERT Coordination Center has received reports of intruders executing widespread attacks using scripted tools to control a collection of information-gathering and exploitation tools. The combination of functionality used by the scripted tools enables intruders to automate the process of identifying and exploiting known vulnerabilities in specific host platforms.
One scripted tool we are aware of uses a port scanning tool to perform widespread scanning to identify hosts responding on TCP port 111 (portmapper). This functionality is similar to the widespread scanning activity discussed in CERT Incident Note IN-98.02:
The scripted tool then uses an advanced scanning tool to attempt to identify the operating system architecture of hosts identified in the widespread scanning. The scripted tool looks for hosts identified to be running Linux. This functionality is similar to the advanced scanning techniques described in CERT Incident Note IN-98.04:
For each host identified as responding on TCP port 111 and appearing to be running Linux, the scripted tool uses an exploit tool to attempt exploitation of the mountd vulnerability described in CERT Advisory CA-98.12:
If the exploit tool is successful in gaining privileged access to the host, the exploit tool executes a series of shell commands to provide the intruder with a passwordless privileged account.
The scripted tool then logs the hostname of each compromised host to a file.
ConclusionTo help protect your systems from the various automated tools being used by the intruder community, we urge you to ensure that all machines in your network are up to date with patches and properly secured.
This document is available from: http://www.cert.org/incident_notes/IN-98-06.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1998 Carnegie Mellon University.