Archive of CERT general posting, CERT Summary CS-97.02

18/03/97, CERT Summary CS-97.02
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Summary CS-97.02
From: CERT Advisory <>
Date: Tue, 18 Mar 1997 09:52:26 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090


- ---------------------------------------------------------------------------
CERT(sm) Summary CS-97.02 - SPECIAL EDITION
March 18, 1997

This special edition of the CERT Summary highlights widespread, large-scale
attacks that are occurring against news servers.

Past CERT Summaries are available from
- ---------------------------------------------------------------------------

Current activity - attacks on news servers
- ------------------------------------------

The CERT Coordination Center and incident response teams around the world have
received numerous reports concerning widespread, large-scale attacks on NNTP
(Network News Transport Protocol) servers throughout the world. NNTP servers
are commonly referred to as USENET news servers.

The activity involves an attempt to exploit a vulnerability in versions of
INN (InterNetNews) prior to 1.5.1. We have received reports that version 1.5.1
was thought to be vulnerable; however, as far as we are able to determine, it
is not.

INN is a commonly used software program for serving and managing news
according to the NNTP protocol. This vulnerability allows remote users to
execute arbitrary commands on the news server with the same privileges as 
the user-id that manages the news server. As of 8:00 am EST (GMT -5),
March 18, 1997, it appears that the most common activity is to attempt to mail
the password file and configuration files to a remote site.

Because of the nature of USENET news, messages are passed automatically from
one site to another. The exploitation involves a particular kind of message,
known as a control message. Intruders can construct and post control messages
in such a way as to exploit the vulnerability. Because of this, your site may
have been compromised even if it was not specifically selected by an intruder.

Information about the vulnerability, along with information about patches and
workarounds, is available from

If we receive further information, we will update this advisory.

We encourage sites that are running INN 1.5 or earlier to upgrade to
INN 1.5.1 as soon as possible.

James Brister, the current maintainer of INN, has provided additional
information regarding the update to INN 1.5.1; this information has been added
to the advisory. James has provided the following patches for INN version 1.5,
1.4sec, 1.4unoff3, and 1.4unoff4:    1.5    1.4sec    1.4unoff3, 1.4unoff4

The directory includes MD5 checksums for each patch.

Information regarding INN patches may be found at

System administrators who did not update to INN 1.5.1 before Friday,
March 14, 1997, should take the following steps:

      * Examine your news logs for signs of exploitation. So far, we
        have reports of at least six distinct message IDs being used:


        Although these messages appear to come from UUNET, the messages
        were forged.

        If these message IDs appear in your logs, it is highly likely that
        these control messages reached your news server. Moreover, it is
        almost certain that additional messages will be (or already have been)
        crafted by intruders, so checking for those message IDs is not enough.

      * If you discover that your password file has been mailed to an intruder
        and you are not using a shadow password mechanism (or another password
        mechanism such as Kerberos), you should consider changing all the
        passwords on your systems.

        We encourage you to examine the following documents for further
        security information:

            This document will help you methodically check your systems
            for signs of compromise, and offers pointers to other resources
            and suggestions on how to proceed in the event of a compromise.

            This document outlines steps you can take to help recover from
            a root compromise and to secure your systems from further

            This document will help you avoid common problems that can lead
            to compromises on UNIX systems, and provides a general framework
            for configuring UNIX systems.

            This document provides a list of tools that can help you
            to monitor your systems for signs of compromise and to
            monitor activity on your systems and networks.

            This document describes ways in which you can protect your
            password file from unauthorized access.

      * Examine your news server for unauthorized processes running as the
        news user. Several of the malicious NNTP control messages include a
        script that attempts to establish an outgoing telnet session to another
        location. Typically, sites with firewalls permit outbound telnet

      * We have several reports of sites that have attempted to check their
        own exposure to this vulnerability and have inadvertently released
        control messages to the Internet that exploit this vulnerability. We
        strongly discourage sites from using control messages as a way to
        measure exposure to this vulnerability. To determine if your NNTP
        server is vulnerable, we recommend that you follow the steps outlined
        in Section I of advisory CA-97.08. If you have accidentally released
        such a message, we encourage you to notify any vulnerable sites that
        you discover through feedback from your test message. Please include in the CC line of the messages you exchange.

      * If you discover that you have been compromised as a result of this
        vulnerability and you have a representative in FIRST, we encourage you
        to contact them directly. To locate your representative in the FIRST
        community, please see


      * If you do not have a representative in FIRST, we encourage you to
        report to the CERT Coordination  Center. In order to help us assess
        the 'big picture,' please include the following information:

                - Your name and contact information
                - The domain name of your news server
                - The NNTP server software you run, including version number
                - A copy of the control message(s) if you have it
                - Any additional pertinent information

        In accordance with our policies, we will not release information about
        your site without your explicit permission.

        Due to the large volume of mail we are receiving regarding this
        activity, we may not be able to follow up all reports
        individually. Nonetheless, your report will help us to understand the
        activity better and to provide more accurate information to the
        Internet community at large.

We would like to express our thanks to James Brister for his assistance in
preparing this summary.

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center


Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

Version: 2.6.2


Previous message sorted by date: CERT Summary CS-97.01
Next message sorted by date: CERT Summary CS-97.03
Previous message sorted by thread: CERT Summary CS-97.01
Next message by thread: CERT Summary CS-97.03
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000