-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Egon Verharen                               Index  :    S-99-24
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Similar Attacks Using Various RPC Services  Date   :  25-Jul-99
===============================================================================

By courtesy of CERT Coordination Center we received the following information.

CERT Coordination Center Incident Note IN-99-04: "Similar Attacks Using Various
RPC Services" describes how an increasing number of intruders exploit three
different RPC service vulnerabilities; however, similar artifacts have
been found on compromised systems.

This incident note points at three different CERT/CC Advisories sent out
earlier: 
- - CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd
- - CA-99-05 - Vulnerability in statd exposes vulnerability in automountd
- - CA-98.11 - Vulnerability in ToolTalk RPC Service

CERT-NL recommends reading the Incident Note (and preferably the original
Advisories) closely and apply patches described in the advisories.

==============================================================================

CERT Incident Note IN-99-04

The CERT Coordination Center publishes incident notes to provide information
about incidents to the Internet community.

                    Similar Attacks Using Various RPC Services

Thursday, July 22, 1999

Overview

We have recently received an increasing number of reports that intruders are
using similar methods to compromise systems. We have seen intruders exploit
three different RPC service vulnerabilities; however, similar artifacts have
been found on compromised systems.

Vulnerabilities we have seen exploited as a part of these attacks
include:
   CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd
   http://www.cert.org/advisories/CA-99-08-cmsd.html
	
   CA-99-05 - Vulnerability in statd exposes vulnerability in automountd
   http://www.cert.org/advisories/CA-99-05-statd-automountd.html

   CA-98.11 - Vulnerability in ToolTalk RPC Service
   http://www.cert.org/advisories/CA-98.11.tooltalk.html

Description

Recent reports involving these vulnerabilities have involved very similar
intruder activity. The level of activity and the scope of the incidents suggests
that intruders are using scripts to automate attacks. These attacks appear to
attempt multiple exploitations but produce similar results. We have received
reports of the following types of activity associated with these attacks:

- - Core files for rpc.ttdbserverd located in the root "/" directory, left by an
exploitation attempt against rpc.ttdbserverd

- - Files named callog.* located in the cmsd spool directory, left by an
exploitation attempt against rpc.cmsd

- - Exploitations that execute similar commands to create a privileged back door
into a compromised host. Typically, a second instance of the inetd daemon using
an intruder-supplied configuration file. The configuration file commonly
contains an entry that provides the intruder a privileged back door into the
compromised host. The most common example we have seen looks like this:

/bin/sh -c echo 'ingreslock stream tcp wait root /bin/sh -i' >>
/tmp/bob;/usr/sbin/inetd -s /tmp/bob

If successfully installed and executed, this back door may be used by an
intruder to gain privileged (e.g., root) access to a compromised host by
connecting to the port associated with the ingreslock service, which is
typically TCP port 1524. The file names and service names are arbitrary; they
may be changed to create an inetd configuration file in a different location or
a backdoor on a different port.

- - In many cases, scripts have been used to automate intruder exploitation of
back doors installed on compromised hosts. This method has been used to install
and execute various intruder tools and tool archives, initiate attacks on other
hosts, and collect output from intruder tools such as packet sniffers.

One common set of intruder tools we have seen is included in an archive file
called "neet.tar", which includes several intruder tools:

	- A packet sniffer named update or update.hme that produces an output
	  file named output or output.hme
	- A back door program named doc that is installed as a replacement to 
	  /usr/sbin/inetd. The back door is activated when a connection is 
	  received from a particular source port and a special string is 
	  provided. We have seen the source port of 53982 commonly used.
	- A replacement ps program to hide intruder processes. We have seen a 
	  configuration file installed at /tmp/ps_data on compromised hosts.

Another common set of intruder tools we have seen is included in an archive file
called leaf.tar, which includes serveral intruder tools:

	- A replacement in.fingerd program with a back door for intruder access
	  to the compromised host eggdrop, an IRC tool commonly installed on 
	  compromised hosts by intruders. In this activity, we've seen the 
	  binary installed as /usr/sbin/nfds
	- Various files and scripts associated with eggdrop, many of which are
	  installed in the directory /usr/lib/rel.so.1
	- A replacement root crontab entry used to start eggdrop

It is possible that other tools and tool archives could be involved in similar
activity.

- - In some cases, we have seen intruder scripts remove or destroy system
binaries
and configuration files.

Solutions

If you believe a host has been compromised, we encourage you to disconnect the
host from the network and review our steps for recovering from a root
compromise:

	http://www.cert.org/tech_tips/root_compromise.html

In many cases intruders have installed packet sniffers on compromised hosts and
have used scripts to automate collection of the output logs. It may be the case
that usernames and passwords used in network transactions with a compromised
host, or on the same network segment as a compromised host, may have fallen into
intruder hands and are no longer secure. We encourage you to address password
security issues after any compromised hosts at your site have been secured.

You should also review the state of security on other hosts on your network. If
usernames and passwords have been compromised, an intruder may be able to gain
unauthorized access to other hosts on your network. Also, an intruder may be
able to use trust relationships between hosts to gain unauthorized access from a
compromised host. Our intruder detection checklist can help you to evaluate a
host's state of security:

	http://www.cert.org/tech_tips/intruder_detection_checklist.html

We encourage you to ensure that your hosts are current with security patches or
work-arounds for well-known vulnerabilities. In particular, you may wish to
review the following CERT advisories for suggested solutions:

   CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd
   http://www.cert.org/advisories/CA-99-08-cmsd.html

   CA-99-05 - Vulnerability in statd exposes vulnerability in automountd
   http://www.cert.org/advisories/CA-99-05-statd-automountd.html

   CA-98.11 - Vulnerability in ToolTalk RPC Service
   http://www.cert.org/advisories/CA-98.11.tooltalk.html

We also encourage you to regularly review security related patches released by
your vendors.

This document is available from:
	http://www.cert.org/incident_notes/IN-99-04.html.


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 52 87 92 82      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQCVAwUBN5tbD/E6s6q7Tf4RAQH5HAP/S5Y4IQT6AFJ1wPPM6lBrCedZBwnJO599
ynnizrPoHR9h0dR64zQKg5ztUp3LZXbuEB8ry0ft6TdanUBmChN2tOKnZb2yvKWO
TMWp5/L8ms4bHpU/TgBgdN05jNpcTcN4DyoEcTq2DyU1YXIfM7gpGWfmmUylQs+W
lFJA+KC50N4=
=OO5L
-----END PGP SIGNATURE-----