-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT(*) Summary CS-96.02
March 26, 1996
Last Revised: October 2, 1997
        Updated copyright statement

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
strategic incident response staff. The summary includes pointers to
sources of information for dealing with the problems. We also list new
or updated files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity
- ---------------

In the two months since the last CERT Summary, we have continued to
receive reports about the same types of activities that were described
in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In
addition, we have seen an increase in the number of reports relating
to software piracy, many of which involve intruders taking advantage
of systems with poorly configured anonymous FTP areas.

If you haven't done so already, the CERT staff urges you to
immediately take the steps described in the advisories listed below.
Note that it is important to periodically recheck these files, as they
can contain updated information that we receive after an advisory is
published.

The majority of the incidents reported to our incident response staff
during the last two months fit into one (or more) of these seven
categories:

1. Root compromise on systems that are unpatched or running old OS versions.

   We receive daily reports of systems that have been compromised by
   intruders who have gained unauthorized access to root or other
   privileged accounts by exploiting widely known security vulnerabilities
   on systems that did not have appropriate patches installed (and/or
   systems that were running old [unpatched] versions of the operating
   system).

   We encourage everyone to check with their vendor(s) regularly for
   updates or new patches that relate to their systems, and install
   security-related patches as soon as they are available.

   For a list of additional suggestions on recovering from a UNIX root
   compromise, see

 ftp://info.cert.org/pub/tech_tips/root_compromise


2. Compromised user-level accounts that are leveraged to gain further access.

   We receive daily reports of compromised accounts that have been used to
   launch attacks against other sites, and/or have been used to gain
   privileged access on vulnerable systems.

   We encourage you to check your systems regularly (in accordance
   with your site policies and guidelines) for any signs of unauthorized
   accesses or suspicious activity.

   For a list of suggestions on how to determine whether your system may
   have been compromised, see

 ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist


3. Packet sniffers and Trojan horse programs

   We continue to receive almost daily incident reports about intruders who
   have installed packet sniffers on root-compromised systems. These
   sniffers, used to collect account names and passwords, are frequently
   installed as part of a widely-available kit that also replaces common
   system files with Trojan horse programs. The Trojan horse binaries
   (du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders'
   files and sniffer activity on the system on which they are installed.

   For further information and methods for detecting packet sniffers and
   Trojan horse binaries, see the following files:

 ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

 ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums


4. IP spoofing attacks

   We continue to receive several reports each week of IP spoofing
   attacks. Intruders attack by using automated tools that are becoming
   widespread on the Internet. Some sites incorrectly believed that they
   were blocking such spoofed packets, and others planned to block them but
   hadn't yet done so.

   For further information on this type of attack and how to prevent it,
   see

 ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing


5. Software piracy

   We receive new reports each week about compromised accounts and/or
   poorly configured anonymous FTP servers that are being used for
   exchanging pirated software. While the compromised accounts should be
   addressed as a separate security issue (see item 2, above), the abuse of
   anonymous FTP areas for software piracy activities can be reduced if the
   anonymous FTP service is correctly configured and administered.

   For related information and guidelines for configuring anonymous FTP,
   see

 ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity


6. Sendmail attacks

   We still receive new reports each week about intruders attempting to
   exploit vulnerabilities in the sendmail program mailer facility.
   Unfortunately, some of these attacks have been successful against sites
   that are running old versions of sendmail and/or are not restricting the
   sendmail program mailer facility. Sendmail's program mailer facility can
   be restricted by using the sendmail restricted shell program (smrsh).

   Information on known sendmail vulnerabilities and the smrsh tool can be
   obtained from

 ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
 ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement

 ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities

 ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability

 ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul

 ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul


   The smrsh program can be obtained from:

 ftp://info.cert.org/pub/tools/smrsh/

   smrsh is also included in the sendmail 8.7.5 distribution.


7. NFS and NIS attacks, and automated tools to scan for vulnerabilities

   We receive weekly reports of intruders using automated tools to scan
   sites for hosts that may be vulnerable to NFS and NIS attacks.
   Intruders are continuing to exploit the rpc.ypupdated vulnerability to
   gain root access, and intruders are still exploiting widely known
   vulnerabilities in NFS to gain root access.

   For related information, see

 ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul

 ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities

 ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability


What's New at the CERT Coordination Center
- ------------------------------------------

The CERT Coordination Center has a new Web site. It includes
information on Internet security and has a link to the CERT FTP
archive.

 http://www.cert.org


What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (January 23,
1996).

* New Additions

ftp://info.cert.org/pub

     incident_reporting_form v.3    (replaced v.2 with v.3)

ftp://info.cert.org/pub/cert_advisories

     CA-96.01.UDP_service_denial
     CA-96.02.bind
     CA-96.03.kerberos_4_key_server
     CA-96.04.corrupt_info_from_servers
     CA-96.05.java_applet_security_mgr
     CA-96.06.cgi_example_code

ftp://info.cert.org/pub/cert_bulletins

     VB-96.01.splitvt
     VB-96.02.sgi
     VB-96.03.sun
     VB-96.04.bsdi

ftp://info.cert.org/pub/FIRST

     conference.info

ftp://info.cert.org/pub/tech_tips

     root_compromise

ftp://info.cert.org/pub/tools

     /cpm/*                         (replaced older version with v.1.2)
     /sendmail/sendmail.8.7.5       (replaced older version)
     /tcp_wrappers/tcp_wrappers_7.3 (replaced older version)
     /sendmail/smrsh/*              (replaced older vsersion with v.8.4)

ftp://info.cert.org/pub/vendors

     /sgi/SGI_contact_info


* Updated Files

ftp://info.cert.org/pub

     cert_faq            (version 10.2)

ftp://info.cert.org/pub/cert_advisories

     CA-94:01     (added info about cpm v.1.2)
     CA-95:13     (added info from sendmail author and Cray; added
                          info from HP and Sun)
     CA-95:14     (added info from NEC Corp and Silicon Graphics)
     CA-95:17     (added info from IBM)
     CA-96.01     (new URL for Argus; added info from Silicon Graphics)
     CA-96.02     (added info from IBM, Solbourne, and Silicon
                          Graphics)
     CA-96.03     (added new checksums and patch info; added
                          info from Transarc and TGV Software, Inc.)
     CA-96.04     (added info from Silicon Graphics)
     CA-96.05     (added pointer to Netscape 2.01)
     rdist-patch-status  (added pointer to version 6.1.2)

ftp://info.cert.org/pub/vendors

     /hp/HP.contact.info


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center


Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

URLs:   http://www.cert.org/
        ftp://info.cert.org/pub/

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History:

Oct 02, 1997  Updated copyright history






-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNDgBu3VP+x0t4w7BAQHFWAP/QZcwNcns6hCjIDGCEWkfFroKHHz8cTde
1zvRmofoLBGJ/Q1y7mo7YHmOUqUPPmOnouYaq+GqdqteuWCZt5pqvB4OokclR14k
9Bg1IvuRY/M5m1CncFjHMdpG8AbikDAaWraJyqrnC7V0Hx2I3w2FLi2CFwU7crdA
PUgAAStZaoM=
=htbT
-----END PGP SIGNATURE-----