Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


CERT(R) Summary CS-2000-04

   November 20, 2000
   Each quarter, the CERT(R) Coordination Center (CERT/CC) issues the CERT
   Summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.
   Past CERT summaries are available from:
	CERT Summaries
Recent Activity

   Since the last regularly scheduled CERT summary, issued in August
   (CS-2000-03), we have seen continued compromises via rpc.statd and
   FTPd. We have also seen a number of sites compromised by exploiting a
   vulnerability in the IRIX telnet daemon. Notable virus activity
   includes the worm and the QAZ worm.
   For more current information on activity being reported to the
   CERT/CC, please visit the CERT/CC Current Activity page. The Current
   Activity page is a regularly updated summary of the most frequent,
   high-impact types of security incidents and vulnerabilities being
   reported to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.
     CERT/CC Current Activity
    1. Compromises Via an Input Validation Vulnerability in rpc.statd
       Over the past several months we have received multiple daily
       reports of sites being root compromised via a vulnerability in
       rpc.statd. We have also received a number of reports indicating
       that intruders are performing widespread scanning for this
       vulnerability and using toolkits to automate the compromise of
       vulnerable machines. Sites, especially those running Linux, are
       encouraged to review the documents below.
         CERT Advisory CA-2000-17, 
         Input Validation Problem in rpc.statd
         CERT Incident Note IN-2000-10, 
         Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
    2. Compromises Via the 'SITE EXEC' Vulnerability in FTPd
       The CERT/CC continues to receive regular reports of intruders
       probing large network blocks for vulnerable FTP servers, and
       compromising machines found to be vulnerable to the 'SITE EXEC'
       vulnerability exploit. Sites are strongly encouraged to follow the
       advice contained in CA-2000-13 and IN-2000-10 to protect systems
       running FTP servers.
         CERT Advisory CA-2000-13, 
         Two Input Validation Problems In FTPD
         CERT Incident Note IN-2000-10, 
         Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
    3. Compromises Via a Vulnerability in the IRIX Telnet Daemon
       We have received reports of intruder activity involving the telnet
       daemon on SGI machines running the IRIX operating system.
       Intruders are actively exploiting a vulnerability in telnetd that
       is resulting in a remote root compromise of victim machines. Sites
       running IRIX are encouraged to review IN-2000-09.
         CERT Incident Note IN-2000-09, 
         Systems Compromised Through a Vulnerability in the IRIX telnet daemon
    4. VBS/Loveletter.AS Worm
       The CERT/CC has been receiving reports from users infected by the
       VBS/Loveletter.AS worm for several weeks. VBS/LoveLetter.AS is
       known to spread in email messages with the following
         Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=
         Attachment: (random_name.ext).vbs
       Copies of the virus that have been reported to us contain the
       following comment:
         rem  "Plan Colombia" virus v1.0
       When the worm is executed, it makes several registry
       modifications, attempts to download additional files, and replaces
       files of certain types similar to the behavior of the
       VBS/Loveletter.A virus. For information on how to prevent or
       recover from a Loveletter infection, please see CA-2000-04.
         CERT Advisory CA-2000-04, 
         Love Letter Worm
       Additional information about this virus can be found by visiting
       the sites listed on our Computer Virus Resources page.
         Computer Virus Resources
    5. QAZ Worm
       For several weeks, the CERT/CC saw an increase in the number of
       NETBIOS Session (139/tcp) probes and a corresponding increase in
       reports of QAZ infected machines. The QAZ worm scans networks for
       unprotected Windows Networking Shares similar to the behavior of
       the network.vbs worm disussed in IN-2000-02. When launched, the
       QAZ worm replaces the Notepad.exe file and modifies the registry
       to ensure that it is run when Windows restarts. This trojan also
       allows an intruder to upload files to the system, or execute any
       file on the system. Sites are encouraged to follow the advice in
       IN-2000-02 to secure Windows Networking Shares, and update
       anti-virus software definitions to prevent infection.
         CERT Incident Note IN-2000-02,
         Exploitation of Unprotected Windows Networking Shares
       Additional information about this virus can be found by visiting
       the sites listed on our Computer Virus Resources page.
         Computer Virus Resources
    6. Multiple Denial of Service Problems in ISC BIND
       The CERT/CC has recently learned of two serious denial of service
       vulnerabilities in the Internet Software Consortium's (ISC) BIND
       software. The first vulnerability is referred to by the ISC as the
       "zxfr bug" and the second is the "srv bug." We have not yet
       received reports of these vulnerabilities being exploited, but we
       believe the potential is there. Sites are encouraged to follow the
       advice in CA-2000-20 to protect systems running BIND.
         CERT Advisory CA-2000-20,
	 Mulitple Denial of Service Problems in ISC BIND
New CERT PGP key

   The CERT/CC PGP key for 2000-2001 is now operational. The new key is
   an RSA key; it is constructed so as to provide maximum
   interoperability with as many versions of PGP as possible as well as
   with GPG. Information about the new PGP Key can be found at:
     Sending Sensitive Information to the CERT/CC
New Vulnerability Disclosure Policy

   On October 9, 2000, the CERT Coordination Center began following a new
   policy regarding the disclosure of vulnerability information.
   Information about the new policy can be found at:
     The CERT Coordination Center Vulnerability Disclosure Policy
What's New and Updated

   Since the last CERT summary, we have published new and updated
     * Advisories
     * Incident notes
     * CERT/CC statistics
     * Security improvement modules
     * Infosec Outlook newsletter
     * Frequently Asked Questions
   Descriptions of these documents and links to them can be found on our
   "What's New" page:
     What's New
   This document is available from:
CERT/CC Contact Information

   Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   If you prefer to use DES, please call the CERT hotline for more
Getting security information

   CERT publications and other security information are available from
   our web site
   To be added to our mailing list for advisories and bulletins, send
   email to This email address is being protected from spambots. You need JavaScript enabled to view it. and include SUBSCRIBE
   your-email-address in the subject of your message.
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   Conditions for use, disclaimers, and sponsorship information
   Copyright 2000 Carnegie Mellon University.

Version: PGP for Personal Privacy 5.0
Charset: noconv


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology