Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


- ---------------------------------------------------------------------------
CERT* Summary CS-98.06
June 11, 1998

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
incident response team. The summary includes pointers to sources of
information for dealing with the problems.

Past CERT Summaries are available from
- ---------------------------------------------------------------------------

Recent Activity
- ---------------
Since the last regularly scheduled CERT Summary issued in March 1998
(CS-98.03), we have seen these trends in incidents reported to us.

1. Multiple Vulnerabilities in BIND

   In two previous special edition CERT Summaries, CS-98.04 and CS-98.05, we
   discussed several attack methods being used to exploit
   vulnerabilities in BIND. CS-98.04 and CS-98.05 are available from

   We have observed several changes to the methods of attack used to
   exploit the BIND vulnerabilities. Exploitation of these
   vulnerabilities might allow a remote intruder to gain privileged
   (root) access on your domain name server or to disrupt normal
   operation of your domain name server.

   Although the methods of attack are being modified, these attacks
   are still exploiting vulnerabilities described in CERT advisory
   CA-98.05. We encourage you to review this advisory, which describes
   the BIND buffer overflow vulnerability, and to apply the
   appropriate patches if you have not done so already. The advisory
   is available at

2. Scans to Port 1/tcpmux and unpassworded SGI accounts

   Over the past month we have received reports of widespread scans to
   TCP port 1. The service assigned to TCP port 1 is tcpmux. For more
   information, see RFC#1078, which is available at

   We know that some of the scans originated from sites that had root
   compromises. From a site that was used to launch these scans, we
   were able to obtain files that indicate that the intruder was
   scanning for IRIX machines.

   By default, IRIX systems have tcpmux enabled. Once the intruder
   found a number of machines with a service running on port 1/tcpmux,
   the intruder then used another automated tool to telnet to each of
   these machines and attempt to log in as guest, lp, and demos.

   We have been in communication with SGI about this issue. At this
   time there does not appear to be any vulnerability in the SGI
   implementation of tcpmux or any service provided through tcpmux.

   IRIX Root Compromises

   In addition to the above incidents, we have noticed an increase in
   the number of reports of IRIX root compromises over the past
   month. We have also received numerous independent reports of
   widespread failed login attempts to lp, guest, demos, OutOfBox, and
   EZsetup accounts.

   IRIX machines ship by default with unpassworded accounts. As of
   IRIX 6.3 there is a security tool to easily disable or add
   passwords to these accounts at installation time. Please refer to
   the following advisories for more information about this issue:

   We strongly encourage you to ensure that the full set of security
   patches for each of your systems is applied. This is a major step
   in defending your systems from attack; its importance cannot be

   We encourage you to check with your vendor regularly for any
   updates or new patches that relate to your systems. We also
   encourage you to ensure that you are up to date with patches and
   workarounds referenced in CERT advisories.

   IRIX patches are available from

   If your IRIX machine has unpassworded accounts, then in addition to
   disabling (or adding password protection to) accounts which do not
   have passwords, we encourage you to inspect your system for signs
   of intrusion. For instructions on how to do this, please refer to
   the "Recovering from an Incident" web page, available from

3. Root Compromises

   We continue to receive daily reports of sites that have suffered a
   root compromise. Many of these compromises can be traced to systems
   that are unpatched or misconfigured, which the intruders exploit
   using well-known vulnerabilities for which CERT advisories have
   been published.

   We encourage you to check for signs of compromise. The following
   documents can help you review your systems:

   Intruder Detection Checklist

        This document outlines suggested steps for determining if your
        system has been compromised.

   Steps for Recovering from a UNIX Root Compromise

        This document sets out suggested steps for responding to a
        root compromise.

   UNIX Configuration Guidelines

        This document describes common UNIX system configuration
        problems that have been exploited by intruders and recommends
        practices that can be used to help deter several types of

   List of Security Tools

        This document describes tools that can be used to help secure
        a system and deter break-ins.

What's New and Updated
- ----------------------
Information about new and updated CERT documents, such as advisories,
is available through the CERT web site at

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email   This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone   +1 412-268-7090 (24-hour hotline)
               CERT personnel answer 8:30-5:00 p.m. EST
               (GMT-5)/EDT(GMT-4), and are on call for
               emergencies during other hours.

Fax     +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in and . If you do not have FTP or web access,
send mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with "copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office.

Version: 2.6.2


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology