Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


- ---------------------------------------------------------------------------
CERT* Summary CS-98.03
March 10, 1998

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from

Past CERT Summaries are available from
- ---------------------------------------------------------------------------

Recent Activity
- ---------------
Since the last regularly scheduled CERT Summary issued in December 1997
(CS-97.06), we have seen these continuing trends in incidents reported to us.

1. Root Compromises and Network Sniffers

   We continue to receive daily reports of UNIX systems that have suffered a
   root compromise. Many of these compromises can be traced to systems that
   are unpatched or misconfigured, on which the intruders exploit well-known
   vulnerabilities for which CERT advisories have been published. On many
   root-compromised systems, the intruders also install packet sniffers to
   collect account names and passwords on other systems. (The packet sniffers
   are frequently installed as part of several widely available intruder
   toolkits that also replace common system files with Trojan horse programs.)

   For information about recovering from a UNIX root compromise, see

   To learn about methods for detecting intruders' packet sniffers and Trojan
   horse programs, see

2. Large-Scale Scanning and Attacks

   We have been receiving reports of large-scale scanning of hosts on the
   Internet, where intruders are using automated programs to identify systems
   that are running vulnerable services. In one incident reported to the
   CERT/CC, more than 250,000 hosts were scanned. Many of these scans have led
   to root compromises on systems that were not patched against various
   well-known problems that have been addressed in previous CERT advisories.

   In recent months, the most commonly reported types of intruder scanning
   and exploitation attacks continue to be against IMAP and rpc-statd

   A. IMAP Attacks

   We continue to receive reports of IMAP attacks, as mentioned in previous
   CERT Summaries (CS-98.01, CS-97.06, and CS-97.04). These reports show that
   intruders are still launching large-scale, automated scans against many
   networks, identifying potentially vulnerable systems.

   Any system that is running a vulnerable version of certain implementations
   of IMAP servers may allow an intruder to gain root-level access on that
   vulnerable host.

   We encourage you to check for the IMAP vulnerability and take immediate
   action to address the problem. For related information, see

   B. rpc-statd Attacks

   We are also receiving reports of attacks involving a vulnerability in
   rpc.statd (also known as statd on some systems), as mentioned in CERT
   Summary CS-98.01 - SPECIAL EDITION. This vulnerability can allow an
   intruder to gain root access.

   For related information, see CERT Advisory CA-97.26 and CERT Summary

3. Denial-of-Service Attacks

We are still receiving daily reports of various types of denial-of-service

You can find information about protecting your systems against several common
types of denial-of-service attacks in the following documents:

We encourage you to read the above documents and apply the appropriate vendor
patches. We also encourage you to consider implementing router filters to
reduce your site's exposure to certain types of attacks.

   A. More Denial-of-Service Attacks Targeting Windows 95/NT Machines

   This section is a follow-up to the information provided in the Special
   Edition CERT Summary released on March 4. This document is available at

   We have received reports of sites continuing to experience "teardrop2"
   denial-of-service attacks targeted at multiple hosts. Again, we encourage
   you to install the appropriate patches to minimize the effect of this

   Microsoft has released a new "Security Bulletin" addressing network
   denial-of-service attacks. This bulletin contains pointers to Windows NT
   hotfixes and a Windows 95 update which patch vulnerable machines. The
   bulletin is available from the Microsoft security web site at

New Location of "New Additions" and "Updated Files" Information
- ---------------------------------------------------------------
Before we publish the next regular issue of the CERT Summary, we will have a
"What's New" page on our Web site at

On this page we'll highlight new documents we've made available as well as
noteworthy document updates.

As a result, this is the last time we will include the "New Additions" and
"Updated Files" sections in the CERT Summary.

What's New in the CERT FTP Archive and Web Site
- -----------------------------------------------
We have made the following changes to our FTP and Web sites since the last
regularly scheduled CERT Summary (December 1, 1997).

* New Additions

    CA-97.26.statd                              Reports a vulnerability that
                                                exists in the statd(1M)
                                                program, available on a
                                                variety of UNIX platforms.

    CA-97.27.FTP_bounce                         Discusses the use of the PORT
                                                command in the FTP protocol.

    CA-97.28.Teardrop_Land                      Reports on two IP
                                                denial-of-service attacks.

    CA-98.01.smurf                              Describes the "smurf" IP
                                                denial-of-service attacks. The
                                                attack described in this
                                                advisory is different from the
                                                denial-of-service attacks
                                                described in CERT advisory

    CA-98.02.CDE                                Reports several
                                                vulnerabilities in some
                                                implementations of the Common
                                                Desktop Environment (CDE).

    CA-98.03.ssh-agent                          Details a vulnerability in the
                                                SSH cryptographic login

    CA-98.04.Win32.WebServers                   Reports an exploitation
                                                involving long file names on
                                                Microsoft Windows-based web

    VB-97.15.nis_cachemgr                       Addresses a vulnerability that
                                                allows attackers to specify
                                                rogue NIS+ servers that are
                                                under their control.

    VB-97.16.CrackLib                           Describes a weakness in a
                                                published version of CrackLib
                                                (v2.5, dated 1993) that could
                                                lead to a compromise of system

    VB-98.01.excite                             Discusses a security hole that
                                                could allow a malicious user
                                                of the software to execute
                                                shell commands on the the host
                                                system on which EWS has been

    VB-98.02.apache                             Describes several possible
                                                security issues that have been
                                                discovered during an internal
                                                security review of the Apache
                                                source code.

    CS-98.01                                    Highlights increasing attacks
                                                involving a vulnerability in
                                                rpc.statd, also known as statd
                                                on some systems.

    CS-98.02                                    Describes denial-of-service
                                                attacks targeting a
                                                vulnerability in the Microsoft
                                                TCP/IP stack.



    Annual Report 1997                          CERT/CC 1997 Annual Report

    Security of the Internet                    Article written by the CERT/CC
                                                staff for The Froehlich/Kent
                                                Encyclopedia of
                                                Telecommunications vol. 15

* Updated Files

    CA-96.08.pcnfsd                             Added information for NCR

    CA-96.09.rpc.statd                          Added information for NCR

    CA-96.14.rdist_vul                          Updated information for NCR
                                                Corporation.                               Updated information for NCR

    CA-97.03.csetup                             Added information for Data

    CA-97.06.rlogin-term                        Added information for NCR

    CA-97.09.imap_pop                           Updated information for Sun
                                                Microsystems, Inc.

    CA-97.11.libXt                              Updated information for Data
                                                General Corporation. Added
                                                information for Silicon
                                                Graphics, Inc.

    CA-97.16.ftpd                               Added information for NCR

    CA-97.17.sperl                              Added information for NCR
                                                Corporation.                                 Updated information for
                                                Silicon Graphics, Inc.

    CA-97.21.sgi_buffer_overflow                Updated information for
                                                Silicon Graphics, Inc.

    CA-97.23.rdist                              Updated information for NCR

    CA-97.25.CGI_metachar                       Updated tech tip and removed
                                                Appendix A.

    CA-98.03.ssh-agent                          In Updates section, described
                                                two cases in which the
                                                vulnerability is present.

    cgi_metacharacters                          Updated information.

    FTP_PORT_attacks                            Updated information.

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    This email address is being protected from spambots. You need JavaScript enabled to view it. 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4),
                Monday-Friday, and are on call for emergencies during other

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to 
        This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in and .
If you do not have FTP or web access, send mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with
"copyright" in the subject line.
* CERT is registered in the U.S. Patent and Trademark Office.

Version: 2.6.2


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology