Recent reports from sites indicate that attackers are searching the Internet for hosts with vulnerable rpc.statd and wu-ftpd services. In many cases, scans are followed by attempts to exploit both rpc.statd and wu-ftpd vulnerabilities. The large address blocks being scanned and the level of scanning activity indicates that the scans are probably being performed by automated tools and scripts. By successfully exploiting these flaws, the perpetrator can execute arbitrary instructions on the host with the privileges of the exploited process -- typically root privileges. (See CERT Incident Note 2000-10: http://www.cert.org/incident_notes/IN-2000-10.html)
The statd vulnerability being exploited is unique to Linux systems, and does not affect other operating platforms that use statd. CERT has noted that most of the compromised Linux systems are running various versions of Red Hat Linux, although Red Hat is not the only vulnerable Linux distribution.
Further similarities in this activity are found in the tools being installed on compromised hosts. In many cases, 'rootkit' and distributed denial of service tools have been found. This activity indicates a growing attack network that may allow attackers an increasing degree of anonymity and control.
For more information on the rpc.statd and wu-ftpd vulnerabilities, refer to the following CERT Advisories:
AXENT's security products offer several different solutions to assess and protect against the rpc.statd and wu-ftpd vulnerabilities. Each product offers a different and effective approach to network security.
NetProwler (a network-based intrusion detection system) notifies administrators of DDoS activity, and of attempts to exploit vulnerabilities in wu-ftpd. A signature capable of detecting attempts to exploit vulnerabilities in rpc.statd for Linux is currently in development and will be available soon.
NetRecon (a network-based vulnerability assessment system) allows administrators to assess which systems are vulnerable to wu-ftpd's "SITE EXEC" vulnerability, allowing them to take preemptive measures to protect their network. NetRecon can also detect the presence of a variety of DDoS tools.
Intruder Alert (a host-based intrusion detection system) detects unauthorized and malicious host activity, keeping systems, applications and data secure from misuse and abuse. Intruder Alert can discover and report changes to the files commonly replaced by rootkit, and can detect many specific attacks. AXENT plans to release an Intruder Alert agent for Linux in the fourth quarter of 2000.
Enterprise Security Manager, or ESM (a host-based vulnerability assessment system) security policies can be configured to monitor files and directories for changes such as permissions, ownership, CRC/checksum, etc. ESM can discover and report any changes to the files commonly replaced by rootkit. AXENT plans to release an ESM agent for Linux in the fourth quarter of 2000.
Rootkit is a collection of trojan horses that replace system binaries in an attempt to allow attackers to retain access to systems while hiding their activity. Often, the script used to install rootkit will remove evidence of the compromise and rootkit installation to further cloak the intrusion. There are many different versions of rootkit, including multiple variations using the name 'tornkit' or 't0rnkit'.
DDoS tools employ a manager/agent architecture to allow an attacker to perform attacks from a large number of coordinated systems. Agents are generally installed by intruders on hosts they have successfully compromised. DDoS attacks can be extremely effective, and are difficult to trace.
For more information on DDoS, see:
Although rootkit compromises the services and information of a host, intruders also use compromised hosts to scan and compromise other systems. By redirecting through multiple compromised hosts, intruders leave a less identifiable trail to themselves when performing illegal activity. A compromised host may also provide access to systems that are otherwise unreachable to the intruder.
The widespread scanning and exploiting of the rpc.statd and wu-ftpd vulnerabilities, coupled with the installation of rootkit and DDoS tools on compromised hosts from those scans, is indicative of intruders laying the groundwork for future attacks. The CERT Coordination Center identified 560 hosts from 220 different sites as running TFN2K (a DDoS tool). The hosts they were able to identify were compromised via either the rpc.statd or wu-ftpd vulnerabilities.
Input validation problems in wu-ftpd allow unauthorized access
- Use NetRecon to assess which network systems are vulnerable.
- Use NetProwler to detect attempts to exploit network vulnerabilities.
- Contact your vendor for upgrade and/or patch information for ftpd packages.
- If an upgrade or patch is not available, disable all vulnerable wu-ftpd and prftpd servers
- Refer to Appendix A. of CERT advisory CA-2000-13 for further vendor information.
Input validation problems in rpc.statd allow unauthorized access
- A NetProwler signature that will detect attempts to exploit rpc.statd will be released soon.
- A Intruder Alert Linux agent will be released on or before December 1st, 2000 that will be capable of detecting attempts to exploit rpc.statd.
- Contact your vendor for upgrade and/or patch information for rpc.statd.
- If an upgrade or patch is not available disable the rpc.statd service.
- Block port 111 (RPC portmapper) at your firewall as well as the port on which rpc.statd is running.
- Refer to Appendix A. of http://www.cert.org/advisories/CA-2000-17.html for further vendor information.
Last modified on: Friday, 13-Apr-01 06:17:51