what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FA-99-04.cert_summary

FA-99-04.cert_summary
Posted Sep 23, 1999

FA-99-04.cert_summary

SHA-256 | 73186c8f811e0ce3915992e00da3ad44b950501e87b38699cbce44699a6516ca

FA-99-04.cert_summary

Change Mirror Download

FedCIRC Advisory FA-99-04

February 23, 1999

The CERT Coordination Center periodically issues the CERT summary to
draw attention to the types of attacks currently being reported to our
incident response team, as well as to other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.

Past CERT summaries are available from
[1]http://www.cert.org/summaries/
______________________________________________________________________

Recent Activity

Since the last CERT summary, issued in December 1998 ([2]CS-98.08), we
have seen these trends in incidents reported to us.
1. Widespread Scans
We continue to receive numerous daily reports of intruders using
tools to scan networks for multiple vulnerabilities. Intruder
scanning tools continue to become more sophisticated.
On January 28, 1999, we published an incident note describing a
new scanning tool that searches for multiple known vulnerabilities
on remote systems. The tool incorporates probes for known
vulnerabilities, remote operating system identification, and a
scripting language that simplifies automation of probes and
exploitation attempts. For more information, see our incident note
at
[3]http://www.cert.org/incident_notes/IN-99-01.html
Reports also indicate that scanning techniques addressed in
previous CERT incident notes, such as scripted tools and stealth
scanning, are still being employed by intruders. For more
information, see
+ [4]http://www.cert.org/incident_notes/IN-98-06.html
+ [5]http://www.cert.org/incident_notes/IN-98-05.html
+ [6]http://www.cert.org/incident_notes/IN-98.04.html
+ [7]http://www.cert.org/incident_notes/IN-98.02.html
The daily reports of widespread scans and exploitation attempts
involve many vulnerabilities; however, the most frequent reports
involve activity with well-known vulnerabilities in "mountd",
"imap", and "pop3" services for which CERT advisories have been
published. These services are installed and enabled by default in
some operating systems. The scans and exploitation attempts still
result in sites being compromised. See the following advisories
for more information:
+ sunrpc (tcp port 111) and mountd (635)
[8]http://www.cert.org/advisories/CA-98.12.mountd.html
+ imap (tcp port 143)
[9]http://www.cert.org/advisories/CA-98.09.imapd.html
+ pop3 (tcp port 110)
[10]http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
We encourage you to make sure that all systems at your site are up
to date with patches and that your machines are properly secured.
2. Back Orifice and NetBus We continue to receive daily reports of
incidents involving Windows-based "remote administration" programs
such as Back Orifice and NetBus. Occasionally these are reports of
compromised machines that have one of these tools installed.
However, the majority of these reports involve sites that have
detected intruders scanning for the presence of these tools. These
scans may appear as unauthorized traffic as follows:
+ NetBus - connection requests (SYN) packets to TCP ports
12345, 12346, or 20034
+ Back Orifice - UDP packets to port 31337
Keep in mind that these tools can be configured to listen on
different ports. Because of this, we encourage you to investigate
any unexplained network traffic.
For more information about Back Orifice, review CERT vulnerability
note VN-98.07:
[11]http://www.cert.org/vul_notes/VN-98.07.backorifice.html
3. Trojan Horse Programs
Over the past few months, we have seen an increase in the number
of incident reports related to Trojan horse programs affecting
both Windows and UNIX platforms.
+ CERT advisory CA-99-02 includes descriptions of several
recent incidents involving Trojan horse programs, including a
false upgrade to Internet Explorer, a Trojan horse version of
TCP Wrappers, and a Trojan horse version of util-linux. The
advisory also provides advice for system and network
administrators, end users, software developers, and
distributors. The advisory is available from
[12]http://www.cert.org/advisories/CA-99-02-Trojan-Horses.htm
l
+ CERT advisory CA-99-01, discusses the Trojan horse version of
TCP Wrappers in greater detail, and provides information on
how to verify the integrity of your TCP Wrappers
distribution.
[13]http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappe
rs.html
4. FTP Buffer Overflows
Very recently, we have received a few reports of intruders
scanning for and exploiting a remote buffer overflow vulnerability
in various FTP servers. By supplying carefully designed commands
to the FTP server, intruders can force the server to execute
arbitrary commands with root privilege. Intruders can exploit the
vulnerability remotely to gain administrative access. We encourage
you to review text provided by Netect, Inc. in CERT advisory
CA-99-03, which describes the ftpd vulnerability in more detail.
The advisory is available from
[14]http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.h
tml
__________________________________________________________________

What's New and Updated Since the last CERT summary, we have
developed new and updated
+ Advisories
+ Incident notes
+ Security improvement modules
+ Technical reports
+ The CERT/CC 1998 Annual Report
+ Computer Security Incident Response Team (CSIRT) Handbook
+ Incident response courses
There are descriptions of these documents and links to them on our
What's New web page at
[15]http://www.cert.org/nav/whatsnew.html
__________________________________________________________________

This document is available from:
[16]http://www2.fedcirc.gov/advisories/FA-99-04.html
__________________________________________________________________

FedCIRC Contact Information

Email: [17]fedcirc@fedcirc.gov
Phone: +1 888-282-0870 (24-hour toll-free hotline)
Phone: +1 412-268-6321 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
FedCIRC CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
[18]http://www2.fedcirc.gov/keys.html
If you prefer to use DES, please call the FedCIRC hotline for more
information.
Getting security information FedCIRC publications and other
security information are available from our web site
[19]http://www.fedcirc.gov/
FedCIRC (Federal Computer Incident Response Capability) is
operated by the CERT/CC for the U.S. General Services
Administration. FedCIRC provides security services to U.S. Federal
civilian agencies.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can
be found in
[20]http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
__________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is" basis.
Carnegie Mellon University makes no warranties of any kind, either
expressed or implied as to any matter including, but not limited
to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of
any kind with respect to freedom from patent, trademark, or
copyright infringement.

References

1. http://www2.fedcirc.gov/summaries/
2. http://www2.fedcirc.gov/summaries/CS-98.08.html
3. http://www.cert.org/incident_notes/IN-99-01.html
4. http://www.cert.org/incident_notes/IN-98-06.html
5. http://www.cert.org/incident_notes/IN-98-05.html
6. http://www.cert.org/incident_notes/IN-98.04.html
7. http://www.cert.org/incident_notes/IN-98.02.html
8. http://www.cert.org/advisories/CA-98.12.mountd.html
9. http://www.cert.org/advisories/CA-98.09.imapd.html
10. http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
11. http://www.cert.org/vul_notes/VN-98.07.backorifice.html
12. http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
13. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
14. http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
15. http://www.cert.org/nav/whatsnew.html
16. http://www2.fedcirc.gov/advisories/FA-99-04.html
17. mailto:fedcirc@fedcirc.gov
18. http://www2.fedcirc.gov/keys.html
19. http://www.fedcirc.gov/
20. http://www.cert.org/legal_stuff.html
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close