-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Jan Meijer                                  Index  :    S-99-09
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : S-99-09 : CERT Summary                      Date   :  26-Feb-99
===============================================================================

By courtesy of CERT Coordination Center we received the following
information.

CERT Coordination Center advisory CA-99.01:CERT Summary reports the
following trends in incidents since the last CERT summary, issued in
December 1998 (CS-98.08):

  1. Widespread Scans
  2. Back Orifice and NetBus
  3. Trojan Horse Programs
  4. FTP Buffer Overflows

CERT-NL recommends to be extra cautious for these specific types of
incidents.

This advisory is meant to provide you with information about the current
trends.  Where normally we would only forward you the URL, we thought
this information to be of such interest to include the full text here.

All CERT Coordination Center advisories and README's are mirrored by
CERT-NL.
The specific URL for this case is:

ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-cc-mirror/cert_summaries/CS-99.01

More information about the CERT-NL mirror and notifier services is
contained in News items N-95-01 (notifier) and N-95-02 (CERT mirror),
both present on ftp://ftp.surfnet.nl/surfnet/net-security/cert-nl/docs/news/

==============================================================================
CERT Summary CS-99-01

   February 23, 1999

   The CERT Coordination Center periodically issues the CERT summary to
   draw attention to the types of attacks currently being reported to our
   incident response team, as well as to other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from

   http://www.cert.org/summaries/

   ______________________________________________________________________

Recent Activity

   Since the last CERT summary, issued in December 1998 (CS-98.08), we
   have seen these trends in incidents reported to us.

    1. Widespread Scans

       We continue to receive numerous daily reports of intruders using
       tools to scan networks for multiple vulnerabilities. Intruder
       scanning tools continue to become more sophisticated.
       On January 28, 1999, we published an incident note describing a
       new scanning tool that searches for multiple known vulnerabilities
       on remote systems. The tool incorporates probes for known
       vulnerabilities, remote operating system identification, and a
       scripting language that simplifies automation of probes and
       exploitation attempts. For more information, see our incident note
       at
       http://www.cert.org/incident_notes/IN-99-01.html

       Reports also indicate that scanning techniques addressed in
       previous CERT incident notes, such as scripted tools and stealth
       scanning, are still being employed by intruders. For more
       information, see

          + http://www.cert.org/incident_notes/IN-98-06.html
          + http://www.cert.org/incident_notes/IN-98-05.html
          + http://www.cert.org/incident_notes/IN-98.04.html
          + http://www.cert.org/incident_notes/IN-98.02.html

       The daily reports of widespread scans and exploitation attempts
       involve many vulnerabilities; however, the most frequent reports
       involve activity with well-known vulnerabilities in "mountd",
       "imap", and "pop3" services for which CERT advisories have been
       published. These services are installed and enabled by default in
       some operating systems. The scans and exploitation attempts still
       result in sites being compromised. See the following advisories
       for more information:

          + sunrpc (tcp port 111) and mountd (635)
            http://www.cert.org/advisories/CA-98.12.mountd.html
          + imap (tcp port 143)
            http://www.cert.org/advisories/CA-98.09.imapd.html
          + pop3 (tcp port 110)
            http://www.cert.org/advisories/CA-98.08.qpopper_vul.html

       We encourage you to make sure that all systems at your site are up
       to date with patches and that your machines are properly secured.

    2. Back Orifice and NetBus

       We continue to receive daily reports of incidents involving
       Windows-based "remote administration" programs such as Back Orifice and
       NetBus. Occasionally these are reports of compromised machines that
       have one of these tools installed.  However, the majority of these
       reports involve sites that have detected intruders scanning for the
       presence of these tools. These scans may appear as unauthorized traffic
       as follows:

          + NetBus - connection requests (SYN) packets to TCP ports
            12345, 12346, or 20034
          + Back Orifice - UDP packets to port 31337

       Keep in mind that these tools can be configured to listen on
       different ports. Because of this, we encourage you to investigate
       any unexplained network traffic.
       For more information about Back Orifice, review CERT vulnerability
       note VN-98.07:

       http://www.cert.org/vul_notes/VN-98.07.backorifice.html

    3. Trojan Horse Programs

       Over the past few months, we have seen an increase in the number
       of incident reports related to Trojan horse programs affecting
       both Windows and UNIX platforms.

          + CERT advisory CA-99-02 includes descriptions of several
            recent incidents involving Trojan horse programs, including a
            false upgrade to Internet Explorer, a Trojan horse version of
            TCP Wrappers, and a Trojan horse version of util-linux. The
            advisory also provides advice for system and network
            administrators, end users, software developers, and
            distributors. The advisory is available from

            http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html

          + CERT advisory CA-99-01, discusses the Trojan horse version of
            TCP Wrappers in greater detail, and provides information on
            how to verify the integrity of your TCP Wrappers
            distribution.

               http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html

    4. FTP Buffer Overflows

       Very recently, we have received a few reports of intruders
       scanning for and exploiting a remote buffer overflow vulnerability
       in various FTP servers. By supplying carefully designed commands
       to the FTP server, intruders can force the server to execute
       arbitrary commands with root privilege. Intruders can exploit the
       vulnerability remotely to gain administrative access. We encourage
       you to review text provided by Netect, Inc. in CERT advisory
       CA-99-03, which describes the ftpd vulnerability in more detail.
       The advisory is available from

              http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IpTSYjBqwfc9jEQLRswCeL8y0cvE6Rc3+44QlCsOUy7OpaKYAnjs5
OLEAeSneedRxq2Zg/qsOA3v4
=WwxE
-----END PGP SIGNATURE-----