[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE----- CERT(R) Summary CS-2000-04 November 20, 2000 Each quarter, the CERT(R) Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in August (CS-2000-03), we have seen continued compromises via rpc.statd and FTPd. We have also seen a number of sites compromised by exploiting a vulnerability in the IRIX telnet daemon. Notable virus activity includes the Loveletter.as worm and the QAZ worm. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Compromises Via an Input Validation Vulnerability in rpc.statd Over the past several months we have received multiple daily reports of sites being root compromised via a vulnerability in rpc.statd. We have also received a number of reports indicating that intruders are performing widespread scanning for this vulnerability and using toolkits to automate the compromise of vulnerable machines. Sites, especially those running Linux, are encouraged to review the documents below. CERT Advisory CA-2000-17, Input Validation Problem in rpc.statd http://www.cert.org/advisories/CA-2000-17.html CERT Incident Note IN-2000-10, Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities http://www.cert.org/incident_notes/IN-2000-10.html 2. Compromises Via the 'SITE EXEC' Vulnerability in FTPd The CERT/CC continues to receive regular reports of intruders probing large network blocks for vulnerable FTP servers, and compromising machines found to be vulnerable to the 'SITE EXEC' vulnerability exploit. Sites are strongly encouraged to follow the advice contained in CA-2000-13 and IN-2000-10 to protect systems running FTP servers. CERT Advisory CA-2000-13, Two Input Validation Problems In FTPD http://www.cert.org/advisories/CA-2000-13.html CERT Incident Note IN-2000-10, Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities http://www.cert.org/incident_notes/IN-2000-10.html 3. Compromises Via a Vulnerability in the IRIX Telnet Daemon We have received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in telnetd that is resulting in a remote root compromise of victim machines. Sites running IRIX are encouraged to review IN-2000-09. CERT Incident Note IN-2000-09, Systems Compromised Through a Vulnerability in the IRIX telnet daemon http://www.cert.org/incident_notes/IN-2000-09.html 4. VBS/Loveletter.AS Worm The CERT/CC has been receiving reports from users infected by the VBS/Loveletter.AS worm for several weeks. VBS/LoveLetter.AS is known to spread in email messages with the following characteristics: Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<= Body: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.. Attachment: (random_name.ext).vbs Copies of the virus that have been reported to us contain the following comment: rem "Plan Colombia" virus v1.0 When the worm is executed, it makes several registry modifications, attempts to download additional files, and replaces files of certain types similar to the behavior of the VBS/Loveletter.A virus. For information on how to prevent or recover from a Loveletter infection, please see CA-2000-04. CERT Advisory CA-2000-04, Love Letter Worm http://www.cert.org/advisories/CA-2000-04.html Additional information about this virus can be found by visiting the sites listed on our Computer Virus Resources page. Computer Virus Resources http://www.cert.org/other_sources/viruses.html 5. QAZ Worm For several weeks, the CERT/CC saw an increase in the number of NETBIOS Session (139/tcp) probes and a corresponding increase in reports of QAZ infected machines. The QAZ worm scans networks for unprotected Windows Networking Shares similar to the behavior of the network.vbs worm disussed in IN-2000-02. When launched, the QAZ worm replaces the Notepad.exe file and modifies the registry to ensure that it is run when Windows restarts. This trojan also allows an intruder to upload files to the system, or execute any file on the system. Sites are encouraged to follow the advice in IN-2000-02 to secure Windows Networking Shares, and update anti-virus software definitions to prevent infection. CERT Incident Note IN-2000-02, Exploitation of Unprotected Windows Networking Shares http://www.cert.org/incident_notes/IN-2000-02.html Additional information about this virus can be found by visiting the sites listed on our Computer Virus Resources page. Computer Virus Resources http://www.cert.org/other_sources/viruses.html 6. Multiple Denial of Service Problems in ISC BIND The CERT/CC has recently learned of two serious denial of service vulnerabilities in the Internet Software Consortium's (ISC) BIND software. The first vulnerability is referred to by the ISC as the "zxfr bug" and the second is the "srv bug." We have not yet received reports of these vulnerabilities being exploited, but we believe the potential is there. Sites are encouraged to follow the advice in CA-2000-20 to protect systems running BIND. CERT Advisory CA-2000-20, Mulitple Denial of Service Problems in ISC BIND http://www.cert.org/advisories/CA-2000-20.html ______________________________________________________________________ New CERT PGP key The CERT/CC PGP key for 2000-2001 is now operational. The new key is an RSA key; it is constructed so as to provide maximum interoperability with as many versions of PGP as possible as well as with GPG. Information about the new PGP Key can be found at: Sending Sensitive Information to the CERT/CC http://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ New Vulnerability Disclosure Policy On October 9, 2000, the CERT Coordination Center began following a new policy regarding the disclosure of vulnerability information. Information about the new policy can be found at: The CERT Coordination Center Vulnerability Disclosure Policy http://www.cert.org/faq/vuldisclosurepolicy.html ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have published new and updated * Advisories * Incident notes * CERT/CC statistics * Security improvement modules * Infosec Outlook newsletter * Frequently Asked Questions Descriptions of these documents and links to them can be found on our "What's New" page: What's New http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2000-04.html ______________________________________________________________________ CERT/CC Contact Information Email:This email address is being protected from spambots. You need JavaScript enabled to view it. Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email toThis email address is being protected from spambots. You need JavaScript enabled to view it. and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOhl8hgYcfu8gsZJZAQHDwAP9ETFkUYW79oW3a9kCFDTNgRqhMhHIqKvw LfUSTI0BfZsSv/gmb8lYmEqOcKdwEhQjYJT6xHy3NpeQx9OHqxksJLVyLxIrSzQG 4gfxC5P6Dgcu0xnZXiajokFiX0sRoY6cXABQFamE3L6AweOtF9UrGLFw94j9267z R0UDVW2tLbQ= =3X+Y -----END PGP SIGNATURE-----
| Powered by: | MHonArc  |