[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-99-01 February 23, 1999 The CERT Coordination Center periodically issues the CERT summary to draw attention to the types of attacks currently being reported to our incident response team, as well as to other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last CERT summary, issued in December 1998 (CS-98.08), we have seen these trends in incidents reported to us. 1. Widespread Scans We continue to receive numerous daily reports of intruders using tools to scan networks for multiple vulnerabilities. Intruder scanning tools continue to become more sophisticated. On January 28, 1999, we published an incident note describing a new scanning tool that searches for multiple known vulnerabilities on remote systems. The tool incorporates probes for known vulnerabilities, remote operating system identification, and a scripting language that simplifies automation of probes and exploitation attempts. For more information, see our incident note at http://www.cert.org/incident_notes/IN-99-01.html Reports also indicate that scanning techniques addressed in previous CERT incident notes, such as scripted tools and stealth scanning, are still being employed by intruders. For more information, see + http://www.cert.org/incident_notes/IN-98-06.html + http://www.cert.org/incident_notes/IN-98-05.html + http://www.cert.org/incident_notes/IN-98.04.html + http://www.cert.org/incident_notes/IN-98.02.html The daily reports of widespread scans and exploitation attempts involve many vulnerabilities; however, the most frequent reports involve activity with well-known vulnerabilities in "mountd", "imap", and "pop3" services for which CERT advisories have been published. These services are installed and enabled by default in some operating systems. The scans and exploitation attempts still result in sites being compromised. See the following advisories for more information: + sunrpc (tcp port 111) and mountd (635) http://www.cert.org/advisories/CA-98.12.mountd.html + imap (tcp port 143) http://www.cert.org/advisories/CA-98.09.imapd.html + pop3 (tcp port 110) http://www.cert.org/advisories/CA-98.08.qpopper_vul.html We encourage you to make sure that all systems at your site are up to date with patches and that your machines are properly secured. 2. Back Orifice and NetBus We continue to receive daily reports of incidents involving Windows-based "remote administration" programs such as Back Orifice and NetBus. Occasionally these are reports of compromised machines that have one of these tools installed. However, the majority of these reports involve sites that have detected intruders scanning for the presence of these tools. These scans may appear as unauthorized traffic as follows: + NetBus - connection requests (SYN) packets to TCP ports 12345, 12346, or 20034 + Back Orifice - UDP packets to port 31337 Keep in mind that these tools can be configured to listen on different ports. Because of this, we encourage you to investigate any unexplained network traffic. For more information about Back Orifice, review CERT vulnerability note VN-98.07: http://www.cert.org/vul_notes/VN-98.07.backorifice.html 3. Trojan Horse Programs Over the past few months, we have seen an increase in the number of incident reports related to Trojan horse programs affecting both Windows and UNIX platforms. + CERT advisory CA-99-02 includes descriptions of several recent incidents involving Trojan horse programs, including a false upgrade to Internet Explorer, a Trojan horse version of TCP Wrappers, and a Trojan horse version of util-linux. The advisory also provides advice for system and network administrators, end users, software developers, and distributors. The advisory is available from http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html + CERT advisory CA-99-01, discusses the Trojan horse version of TCP Wrappers in greater detail, and provides information on how to verify the integrity of your TCP Wrappers distribution. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html 4. FTP Buffer Overflows Very recently, we have received a few reports of intruders scanning for and exploiting a remote buffer overflow vulnerability in various FTP servers. By supplying carefully designed commands to the FTP server, intruders can force the server to execute arbitrary commands with root privilege. Intruders can exploit the vulnerability remotely to gain administrative access. We encourage you to review text provided by Netect, Inc. in CERT advisory CA-99-03, which describes the ftpd vulnerability in more detail. The advisory is available from http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html __________________________________________________________________ What's New and Updated Since the last CERT summary, we have developed new and updated + Advisories + Incident notes + Security improvement modules + Technical reports + The CERT/CC 1998 Annual Report + Computer Security Incident Response Team (CSIRT) Handbook + Incident response courses There are descriptions of these documents and links to them on our What's New web page at http://www.cert.org/nav/whatsnew.html __________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-99-01.html. __________________________________________________________________ CERT/CC Contact Information Email:This email address is being protected from spambots. You need JavaScript enabled to view it. Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email toThis email address is being protected from spambots. You need JavaScript enabled to view it. and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office __________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNtMd3nVP+x0t4w7BAQELiQP/TLsyxvFKqSF22dlYDd4TtFDbBVJOeTM7 ck9zWTxxlX/ejj/ADDRal/45CILB1Tdsj5dNwKyUSQ2sX+sl/UZS5PfA4/iJwoWl bFkCzcRagzt2Y2p8U19WGwjfi4bSYQGhKxHlzTIIxp3h9PQhwMOYbndAyQ0NMyd9 2HmobbOGFu0= =umQb -----END PGP SIGNATURE-----
| Powered by: | MHonArc  |