CERT® Incident Note IN-99-05The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Systems Compromised Through a Vulnerability in am-utilsUpdated: December 9, 1999 (Added information about IN-99-07)
Friday, September 17, 1999
OverviewWe have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in amd that is resulting in remote users gaining root access to victim machines.
The vulnerability we have seen exploited as a part of these attacks is:
DescriptionReports of successful exploitations of the vulnerability in amd have included some or all of the following attack characteristics:
In some cases, we have seen distributed denial of service tools installed on compromised machines. For more information, see
SolutionsIf you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise:
We encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities. In particular, you may wish to review the following CERT advisory for suggested solutions:
We also encourage you to regularly review security related patches released by your vendors.
This document is available from: http://www.cert.org/incident_notes/IN-99-05.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1999 Carnegie Mellon University.