-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Continuing Compromises of DNS Servers April 28, 2000 16:00 GMT Number K-036 ______________________________________________________________________________ PROBLEM: There are continuing compromises of machines running the Domain Name System (DNS) server software that is part of BIND ("named"), including compromises of machines that are not being used as DNS Servers. PLATFORM: Systems running various vulnerable versions of BIND (including on machines where the system administrator does not realize a DNS server is running). DAMAGE: Allows intruder to gain root access. SOLUTION: Upgrade the vulnerable systems with their associated DNS security patches and workarounds. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The exploits have appeared in public forums. ASSESSMENT: ______________________________________________________________________________ [ Start CERT/CC Advisory ] CERT(r) Advisory CA-2000-03 Continuing Compromises of DNS servers Original release date: April 26, 2000 Last revised: April 26, 2000 Source: CERT/CC Systems Affected * Systems running various vulnerable versions of BIND (including on machines where the system administrator does not realize a DNS server is running) Overview This CERT Advisory addresses continuing compromises of machines running the Domain Name System (DNS) server software that is part of BIND ("named"), including compromises of machines that are not being used as DNS Servers. The Advisory also reports that a significant number of delegated(*) DNS servers in the in-addr.arpa tree are running outdated versions of DNS software, and urges system and network administrators to ensure that they are up-to-date with DNS security patches and workarounds. ______________________________________________________________________ The CERT Coordination Center has received reports of continuing activity indicating that intruders are targeting machines running vulnerable versions of "named" . We continue to receive regular, daily reports that sites running unpatched, vulnerable versions of "named" have been compromised. CERT Advisory CA-99-14 "Multiple Vulnerabilities in BIND" describes the BIND NXT record privileged compromise vulnerability that is being exploited. We encourage you to review this advisory and to apply the appropriate patches if you have not done so already. The advisory is available at http://www.cert.org/advisories/CA-99-14-bind.html Some sites with compromised systems have found one of the following empty directories on systems where the NXT record vulnerability was successfully exploited: /var/named/ADMROCKS /var/named/O Other artifacts that are commonly found include * inetd started with an intruder-supplied configuration file in /tmp that provides a backdoor into the system * modified /etc/inittab and/or system startup files to load intruder processes at boot time * Trojan horse versions of sshd and /bin/login designed to provide a backdoor into a compromised system * complete rootkits that include Trojan horse replacements for system binaries, sniffers, denial-of-service tools, vulnerability scanners, exploits, etc. * newer versions of BIND Compromised systems are commonly used to search for and attack other potentially vulnerable systems. In many of the reports of DNS server compromises, compromised machines running DNS server software were not being used as DNS servers. The DNS server software was running because it was installed by default (unknowingly in many cases) when the machines were configured. This software was not up to date with security patches and workarounds; and since the system administrators were not planning to have the machines operate as DNS servers, they did not ensure the software was up to date, or simply disable the DNS server software on the machine. We encourage system and network administrators to disable DNS server software, and other services, on machines where the services are not needed. We have also received information from Bill Manning of the USC/ISI concerning DNS servers running vulnerable versions of domain name server software. Since 1997, Bill Manning sweeps the inverse tree (in-addr.arpa) on a quarterly basis to verify the accuracy of delegations within that hierarchy. Using the first quarter survey results, he compiled a list of what version of DNS server software the servers were running. Of the responding DNS servers that are delegated(*) DNS servers for the in-addr.arpa zone, more than 50% of these DNS servers were running older, vulnerable versions of BIND (any vulnerabilities, not just the NXT vulnerability). This is significant because the compromise of DNS servers that are delegated DNS servers can have impact on the security of other organizations in addition to the organization operating the DNS server. A copy of the survey results are available at http://www.isi.edu/~bmanning/in-addr-audit.html Based on the number of older versions being run, and the rate of compromises, we believe the number of DNS servers running older, vulnerable versions of BIND have not significantly decreased since the survey was published. We encourage DNS server operators to ensure that their DNS server software is up to date with the most recent versions of the DNS server software and that all security patches and workarounds have been applied. delegated DNS server: a delegated DNS is a DNS server that is assigned responsibility for responding to requests for a portion of the DNS hierarchy. For more information on delegation, see the section on delegation in DNS and BIND third edition, by Paul Albitz and Cricket Liu, O'Reilly and Associates, 1998. Advisory Author: Jeffrey J. Carpenter _________________________________________________________________ The CERT Coordination Center thanks Bill Manning, USC/ISI, for providing information used in this CERT Advisory. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2000-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Copyright 2000 Carnegie Mellon University. [ End CERT/CC Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT/CC for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-026: Microsoft SQL Server Admin Login Encryption Vulnerability K-027: Microsoft SQL Server and MSDE Malicious Query Vulnerability K-028: FreeBSD Port Exploits for mh/nmh, Lynx, and mtr K-029: Microsoft "Registry Permissions" Vulnerability K-030: SGI - Vulnerability in the objectserver daemon K-031: Mobile Malicious Code K-032: DDoS Mediation Action List K-033: Microsoft "Myriad Escaped Characters" Vulnerability K-034: Cisco Catalyst Enable Password Bypass Vulnerability K-035: Backdoor Password in Red Hat Linux Virtual Server Package -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOQn7lbnzJzdsy3QZAQGxdwQA4MNziQsv5/3ZPGBBgS0q5DvZFfhisSl1 usMnua+xJ5H2RSOlaiQDeb/728OSB029oDeI9uMbQFK/8inzf9g5x5cJz6ys+yYo IN75d+N6vm6151Gyd/VKlAGUCfw7aZhf7pLAfP6EhkfTtcbXbuevDcJbM+TeqkqF 7V+5nlLpNsc= =IeCF -----END PGP SIGNATURE-----