Vulnerability Exploits
Impact
A possible backdoor resulting from a successful attack
was detected.
Background
When vulnerabilities in network services are discovered,
programs which exploit the vulnerabilities are often written and
posted to mailing lists, IRC channels, and web sites. Some
of these exploit programs create backdoors on the vulnerable
server which allow the attacker, or anyone else who detects
the backdoor, to connect and gain immediate privileged access.
The Problems
ingreslock:
The ingreslock port (1524/TCP) is often
used as a backdoor by programs which exploit vulnerable
RPC (Remote Procedure Call) services. The backdoor is
usually accompanied by a file called /tmp/bob
which is the configuration file which opens a shell on the
port.
9704/TCP:
This port is opened by a common program which exploits
an input validation problem in rpc.statd.
The exploit modifies the inetd.conf file
to open a shell on the port.
77/TCP:
This port is opened by a program which exploits a vulnerability in
rpc.yppasswdd on Solaris. It uses a file called
z as a configuration file for inetd.
Resolution
The backdoor can be removed by restoring /etc/inetd.conf,
removing any unauthorized configuration files such as
/tmp/bob or z, and restarting the inetd
process. Only one inetd process should be running.
Any extraneous processes should be killed.
Although the backdoor can be easily removed, this does not
solve the problem at its root. If the vulnerability which
was exploited is not corrected, there is nothing to stop
the attacker from running the exploit again. The system
should be taken offline and scanned for vulnerabilities. All problems
should be fixed before the system is put back online.
Also note that not all vulnerability exploits create backdoors
such as the ones described above. Sometimes there is no way
to tell if a vulnerability has been exploited other than
intrusion detection logs. Good security practices should always
be followed, and systems should be scanned for vulnerabilities
periodically.
Where can I read more about this?
The exploit for the rpc.statd vulnerability
is discussed in CERT
Advisory 2000-17.