FA-99-06.cert_summary
73c598214f1fdf2fa561283d4dacefc3d71fd70a4cc9cb11f73dffe7dc6c2ca9
FedCIRC Advisory FA-99-06
May 25, 1999
The CERT Coordination Center periodically issues the CERT summary to
draw attention to the types of attacks currently being reported to our
incident response team, as well as to other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from
[1]http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last CERT summary, issued in February 1999 ([2]CS-99.01), we
have seen an increase in virus activity and an increase in the use of
some older, known attacks.
Protect your systems. Use current software versions, install patches
as they become available, and update your scanning tools and
anti-virus software with the latest virus signatures or definitions.
Be leery of unsolicited documents or executable programs received in
electronic mail. Be wary of software that comes from untrusted
sources.
1. Virus Activity
In the last three months, we have received many reports of virus
activity. Current versions of anti-virus software can help to
protect your systems from these viruses.
It is important to take great caution with any email or Usenet
attachments that contain executable content. If attachments are in
a message, we recommend that you save the file to the local drive
and scan the file with an anti-virus scanning product before you
open or run the file. Be aware that this is not a guarantee that
the contents of the file are safe, but it will check for viruses
and Trojan horses that your scanning software can detect.
Melissa
The Melissa virus spreads mainly as Microsoft Word 97 and Word
2000 attachments in email. It can be detected and removed by
current versions of anti-virus software. For more information see
CERT Advisory CA-99-04 Melissa Macro Virus
[3]http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Viru
s.html
Frequently Asked Questions About the Melissa Virus
[4]http://www.cert.org/tech_tips/Melissa_FAQ.html
CIH/Chernobyl
The CIH virus infects executable files and is spread by executing
an infected file. Since many files are executed during normal use
of a computer, the CIH virus can infect many files quickly. The
most common version of the virus becomes active on April 26, but
there are other versions that become active on the 26th day of
other months (especially June 26). For more information, see
Incident Note IN-99-03 CIH/Chernobyl Virus
[5]http://www.cert.org/incident_notes/IN-99-03.html
Frequently Asked Questions About the CIH Virus
[6]http://www.cert.org/tech_tips/CIH_FAQ.html
Happy99
Happy99.exe is a Trojan horse virus. The first time Happy99.exe is
executed, a fireworks display saying "Happy 99" appears on the
computer screen. At the same time, it modifies system files to
email itself to other people. For more information, see
IN-99-02 Happy99.exe Trojan Horse
[7]http://www.cert.org/incident_notes/IN-99-02.html
CA-99-02 Trojan Horses
[8]http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
2. Resurgence of SYN Attacks
Recently we have received an increased number of reports of SYN
attacks that result in a denial of service. This is a known
exploitation method for which protection is available. For
information about how SYN attacks work and how to protect your
systems, see
CERT Advisory CA-96.21 TCP SYN Flooding and IP Spoofing Attacks
[9]http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.h
tml
For more information about denial of service attacks, see
Denial of Service
[10]http://www.cert.org/tech_tips/denial_of_service.html
3. Continued Widespread Scans
We are still receiving daily reports of intruders using tools to
scan networks for multiple vulnerabilities. Intruder scanning
tools continue to become more sophisticated, varying from scripted
tools and stealth scanning techniques to a tool that incorporates
probes for known vulnerabilities, remote operating system
identification, and a scripting language that simplifies
automation of probes and exploitation attempts. For more
information, see
"sscan" Scanning Tool
[11]http://www.cert.org/incident_notes/IN-99-01.html
Automated Scanning and Exploitation
[12]http://www.cert.org/incident_notes/IN-98-06.html
Probes with Spoofed IP Addresses
[13]http://www.cert.org/incident_notes/IN-98-05.html
Advanced Scanning
[14]http://www.cert.org/incident_notes/IN-98.04.html
New Tools Used for Widespread Scans
[15]http://www.cert.org/incident_notes/IN-98.02.html
The most frequent reports involve well-known vulnerabilities in
mountd, IMAP, and POP3. These services are installed and enabled
by default in some operating systems. See the following advisories
for more information:
sunrpc (TCP port 111) and mountd (635)
[16]http://www.cert.org/advisories/CA-98.12.mountd.html
IMAP (TCP port 143)
[17]http://www.cert.org/advisories/CA-98.09.imapd.html
POP3 (TCP port 110)
[18]http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
While these scans involve known vulnerabilites for which patches
are available, the scans and exploitation attempts still result in
sites being compromised because system security has not been kept
up-to-date. Protect your systems. Make sure that all systems at
your site have current versions of patches and that your machines
are properly secured.
4. Web Server Attacks
We have been receiving reports of attacks exploiting
vulnerabilities in sample applications in Cold Fusion and IIS. The
attacks result in read and write access on the web server,
allowing intruders to change web pages at will. For information,
see
Allaire Security Bulletin ASB99-02 ColdFusion 4.0 Example
Applications and Sample Code Exposes Servers
[19]http://www.allaire.com/security/
Microsoft Internet Information Server 4.0 Security Checklist
[20]http://www.microsoft.com/security/products/iis/checklist.
asp
______________________________________________________________________
What's New and Updated
Since the last CERT summary, we have developed new and updated
* Advisories
* Incident notes
* Security improvement modules
* Technical reports
* Information about computer security education
There are descriptions of these documents and links to them on our
What's New web page at
[21]http://www.cert.org/nav/whatsnew.html
______________________________________________________________________
This document is available from:
[22]http://www2.fedcirc.gov/advisories/FA-99-06.html
______________________________________________________________________
FedCIRC Contact Information
Email: [23]fedcirc@fedcirc.gov
Phone: +1 888-282-0870 (24-hour toll-free hotline)
Phone: +1 412-268-6321 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
FedCIRC CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
[24]http://www2.fedcirc.gov/keys.html
If you prefer to use DES, please call the FedCIRC hotline for more
information.
Getting security information
FedCIRC publications and other security information are available from
our web site
[25]http://www.fedcirc.gov/
FedCIRC (Federal Computer Incident Response Capability) is operated by
the CERT/CC for the U.S. General Services Administration. FedCIRC
provides security services to U.S. Federal civilian agencies.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in
[26]http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
References
1. http://www2.fedcirc.gov/summaries/
2. http://www2.fedcirc.gov/summaries/CS-99.01.html
3. http://www2.fedcirc.gov/advisories/CA-99-04-Melissa-Macro-Virus.html
4. http://www2.fedcirc.gov/tech_tips/Melissa_FAQ.html
5. http://www2.fedcirc.gov/incident_notes/IN-99-03.html
6. http://www2.fedcirc.gov/tech_tips/CIH_FAQ.html
7. http://www2.fedcirc.gov/incident_notes/IN-99-02.html
8. http://www2.fedcirc.gov/advisories/CA-99-02-Trojan-Horses.html
9. http://www2.fedcirc.gov/advisories/CA-96.21.tcp_syn_flooding.html
10. http://www2.fedcirc.gov/tech_tips/denial_of_service.html
11. http://www.cert.org/incident_notes/IN-99-01.html
12. http://www.cert.org/incident_notes/IN-98-06.html
13. http://www.cert.org/incident_notes/IN-98-05.html
14. http://www.cert.org/incident_notes/IN-98.04.html
15. http://www.cert.org/incident_notes/IN-98.02.html
16. http://www.cert.org/advisories/CA-98.12.mountd.html
17. http://www.cert.org/advisories/CA-98.09.imapd.html
18. http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
19. http://www.allaire.com/security/
20. http://www.microsoft.com/security/products/iis/checklist.asp
21. http://www.cert.org/nav/whatsnew.html
22. http://www2.fedcirc.gov/advisories/FA-99-06.html
23. mailto:fedcirc@fedcirc.gov
24. http://www2.fedcirc.gov/keys.html
25. http://www.fedcirc.gov/
26. http://www.cert.org/legal_stuff.html