Vulnerabilities we have commonly seen exploited as a part of these attacks include:
Of the two vulnerabilities discussed in CA-2000-13, the "Site exec" vulnerability is the one we are seeing exploited as a part of this activity.
A large majority of the compromised hosts involved in this activity have been running various versions of Red Hat Linux. Insecure default configurations in some versions, especially with respect to the vulnerable rpc.statd service often being enabled during automated installation and upgrade processes, have contributed to the widespread success of these attacks.
Intruders searching for vulnerable machines are performing widespread scanning for vulnerable systems across large blocks of address space. The scans target the following services:
In many cases, sites report receiving exploit attempts against both rpc.statd and wu-ftpd immediately after receiving probes. There is evidence to suggest intruders may be developing worm-like attack tools based on exploitations of rpc.statd and wu-ftpd.
Once hosts are compromised, there are several common patterns in the tools being installed by intruders.
Since May of 2000, we have observed more than six different versions of a rootkit being called 't0rnkit', or 'tornkit'. Rootkits are not a new idea and have been employed by intruders for several years. The important thing here is to be aware of the widespread nature of this particular activity and to insure compromised hosts are recovered using appropriate procedures and techniques. Various versions of 't0rnkit' include an installation script which attempts many of the following things
Most versions also include a trojan horse version of tcp_wrappers in RPM format named 'tcpd.rpm'. There is strong evidence that 't0rnkit' is undergoing active development at the time of this writing, so the exact composition of the rootkit may vary from this description over time.
Distributed Denial of Service Tools
In addition to the installation of rootkits, we have observed a significant increase in the installation of distributed denial of service (DDoS) tools on hosts compromised through these two vulnerabilities. In one incident, we recorded over 560 hosts at 220 Internet sites around the world as being a part of a Tribe Flood Network 2000 (TFN2K) DDoS network. The hosts we were able to identify were compromised via either the rpc.statd or wu-ftpd vulnerabilities. We have commonly seen the following DDoS tools installed by intruders.
IN-99-07, Distributed Denial of Service Tools
CA-99-17, Denial-of-Service Tools
CA-2000-01 Denial-of-Service Developments
For more information about distributed denial of service attacks, please see
The combination of widespread, automated exploitation of two common vulnerabilities and an associated increase in distributed denial of service tool installation poses a significant threat to Internet sites and the Internet infrastructure.
The CERT/CC encourages all Internet sites to review the rpc.statd advisory (CA-2000-17) and the wu-ftpd advisory (CA-2000-13) and insure workarounds or patches have been applied on all affected hosts on your network.
If you believe your host has been compromised, please follow the steps outlined in
Author: Kevin Houle