<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<TITLE>FedCIRC Advisory FA-98-95</TITLE>
</HEAD>
<BODY>
<H1><IMG SRC="http://attrition.org/images/small_fedcirc_logo.gif" WIDTH="87" HEIGHT="93" ALT="" ALIGN="MIDDLE">
FedCIRC Advisory FA-98-95</H1>
December 14, 1998<P>

<P>
To aid in the wide distribution of essential security information, FedCIRC is
forwarding the following information from CERT/CC summary CS-98.08. FedCIRC
urges you to act on this information as soon as possible.
</P>
If you have any questions, please contact FedCIRC:

        Telephone:      +1 888 282 0870
        Email:          fedcirc@fedcirc.gov

<P>
The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response team, as well as to other noteworthy incident and vulnerability
information. The summary includes pointers to sources of information for
dealing with the problems.<P>
</P>
Past CERT Summaries are available from

<UL>
<A HREF="http://attrition.org/summaries/">http://www.cert.org/summaries/</A><BR>
</UL>

<P> 

<HR WIDTH="100%"> 

<H2>Recent Activity</H2>
<P>
Since the last CERT Summary, issued in August 1998 (<A HREF="http://attrition.org/summaries/CS-98.07.html">CS-98.07</A>), we have seen
these trends in incidents reported to us.
</P>
<OL>

<LI><H3>Vulnerability in mountd</H3>
<P>
We have seen many reports of this vulnerability being exploited on NFS servers
running certain implementations of mountd, primarily Linux.  On some systems,
the vulnerable NFS server is enabled by default.  This vulnerability can be
exploited even if the NFS server does not export any file systems. Intruders
who are able to exploit the vulnerability can do it remotely and can gain
administrative access. We encourage you to review CERT Advisory
CA-98.12, which describes the mountd vulnerability in more detail.
The advisory is available from

<P><A HREF="http://www.cert.org/advisories/CA-98.12.mountd.html">http://www.cert.org/advisories/CA-98.12.mountd.html</A>

<P>
<LI><H3>Spread of Windows-Based Trojan Horse Programs</H3>
<P>
In recent months, we have seen the spread of Windows-based Trojan
horse programs. The most frequently reported incidents involving
Windows-based Trojan horse programs involve the tools Back Orifice and
NetBus.
<P>
We receive occasional reports of compromised machines that have one of
these tools installed; however, the majority of reports involving
these tools are from sites noticing intruders scanning their networks
for the presence of these tools. We receive daily reports indicating
that intruders are actively scanning networks to find running instances of
these tools on already compromised machines.
<P>
Look for the following symptoms to detect those scans:
<P>
 NetBus - connection request (SYN) packets to TCP port 12345<BR>
 Back Orifice - UDP packets to port 31337
<P>
<P>

Keep in mind that these tools can be configured to listen on different
ports. Because of this, we encourage you to investigate any unexplained
network traffic.  <P>


Because these tools are Trojan horses, users must install them or be tricked
into installing them. To impede the proliferation of this class of tools, we
encourage system administrators to educate their users about safe computing
practices (e.g., only install software from trusted sources, and use virus
scanning software on any newly introduced software).<P>

For more information about Back Orifice, we encourage you to review
CERT Vulnerability Note VN-98.07.
<P>
<A HREF="http://www.cert.org/vul_notes/VN-98.07.backorifice.html">http://www.cert.org/vul_notes/VN-98.07.backorifice.html</A>
<P>

<LI><H3>Widespread Scans</H3>
<P>
We continue to receive numerous daily reports of intruders using tools
to scan networks for multiple vulnerabilities. On July 2, we published
an incident note detailing this activity. This document is available
at
<P>
<A HREF="http://www.cert.org/incident_notes/IN-98.02.html">http://www.cert.org/incident_notes/IN-98.02.html</A>
<P>
Since July 2 these tools have become a bit more sophisticated.
Variants of the "mscan" tool now probe for the most recent
vulnerabilities including
<P>
<A HREF="http://www.cert.org/advisories/CA-98.12.mountd.html">http://www.cert.org/advisories/CA-98.12.mountd.html</A>
<P>

Additionally, these tools incorporate the ability to identify a machine's
architecture and operating system.<P>

<LI><H3>Scripted Tools</H3>
<P>
Very recently, we have received a few reports indicating that
intruders are executing widespread attacks using scripted tools to
control various information-gathering and exploitation tools. The
combination of functionality used by the scripted tools enables
intruders to automate the process of identifying and exploiting known
vulnerabilities in specific host platforms. This information is
available at
<P>
<A HREF="http://www.cert.org/incident_notes/IN-98-06.html">http://www.cert.org/incident_notes/IN-98-06.html</A>
<P>

<LI><H3>Stealth Scanning Techniques</H3>
<P>
We have received a few reports indicating that intruders are using
stealth scanning techniques. Stealth scanning is used by intruders to
avoid detection. Details about stealth scanning techniques are
available at
<P>
<A HREF="http://www.cert.org/incident_notes/IN-98.04.html">http://www.cert.org/incident_notes/IN-98.04.html</A>
<P>
</UL>

<BR>
<HR WIDTH="100%"> <BR>

<H2>What's New and Updated</H2>

Since the last CERT Summary, we have developed new and updated

<UL>
<LI>Incident Notes
<LI>Vulnerability Notes
<LI>Advisories
<LI>Vendor-Initated Bulletins
<LI>System Survivability Research information
<LI>Incident Response Courses
</UL>

If you are interested in any of these, please see our What's New web page for
descriptions and links:

<P><A HREF="http://www.cert.org/nav/whatsnew.html">http://www.cert.org/nav/whatsnew.html</A>
<P>


<HR WIDTH="100%" NOSHADE>

This document is available from: <A HREF="FA-98-95.html">http://www2.fedcirc.gov/alerts/advisories/1998/FA-98-95.html</A>

<HR WIDTH="100%" NOSHADE>

<H2>FedCIRC Contact Information</H2>

<DL>
<B>Email:</B> <A HREF="mailto:fedcirc@fedcirc.gov">fedcirc@fedcirc.gov</A><BR>
<B>Phone:</B> +1 888-282-0870 (24-hour toll-free hotline)<BR>
<B>Phone:</B> +1 412-268-6321 (24-hour hotline)<BR>
<B>Fax:</B> +1 412-268-6989<BR>
<B>Postal address:</B><BR>
<DD>
FedCIRC
CERT Coordination Center<BR>
Software Engineering Institute<BR>
Carnegie Mellon University<BR>
Pittsburgh PA 15213-3890<BR>
U.S.A.<BR>
</DL>

FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
<P>

<H4>Using encryption</H4>

<P>We strongly urge you to encrypt sensitive information sent by
email.  Our public PGP key is available from
<A HREF="http://www2.fedcirc.gov/keys.html">http://www2.fedcirc.gov/keys.html</A>.
If you prefer to use DES, please call the FedCIRC hotline for more
information.

<H4>Getting security information</H4>

FedCIRC publications and other security information are available from
our web site <A HREF="http://www.fedcirc.gov/">http://www.fedcirc.gov/</A>.
<P>

FedCIRC (Federal Computer Incident Response Capability) is operated by
the CERT/CC for the U.S. General Services Administration. FedCIRC
provides security services to U.S. Federal civilian agencies.
<P>

Copyright 1998 Carnegie Mellon University.<BR>
Conditions for use, disclaimers, and sponsorship information can be found in
<A HREF="http://www.cert.org/legal_stuff.html">http://www.cert.org/legal_stuff.html</A>.
<P>

* CERT is registered in the U.S. Patent and Trademark Office

<HR WIDTH="100%" NOSHADE>

<B><U>NO WARRANTY</U></B><BR>
<B>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</B>


</BODY>
</HTML>