what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CS-2001-02

CS-2001-02
Posted May 30, 2001
Site cert.org

CERT Quarterly Summary for May, 2001. Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms, and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders.

tags | worm, vulnerability
SHA-256 | 4a4c69c74f9f9dfbf99e62d106c6b336a191d5792a093ca4b01aa1079a25f3c2

CS-2001-02

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-2001-02

May 29, 2001

Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.

Past CERT summaries are available from:

CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________

Recent Activity

Since the last regularly scheduled CERT summary, issued in February
2001 (CS-2001-01), we have seen a significant increase in
reconnaissance activity, a number of self-propagating worms, and
active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by
intruders

For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.

CERT/CC Current Activity
http://www.cert.org/current/current_activity.html


1. sadmind/IIS Worm

The CERT/CC has received reports from more than 400 sites affected
by a piece of self-propagating malicious code (referred to here as
the sadmind/IIS worm). This worm uses two well-known
vulnerabilities to compromise Solaris systems and deface web pages
running on IIS servers. Reports indicate more than 500 Solaris
machines have been compromised by the sadmind/IIS worm and more
than 6000 IIS servers have been defaced. Sites running either
Solaris or IIS are strongly encouraged to review CA-2001-11 and
those running IIS should review the advisories listed below in the
"Other Recent IIS Security Issues" section as well.

CERT Advisory CA-2001-11: sadmind/IIS Worm
http://www.cert.org/advisories/CA-2001-11.html


2. Other Recent IIS Security Issues

The CERT/CC has recently published information on two new
vulnerabilities in IIS. Given the current level of exploitation of
IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly
encourages sites to review the following advisories and take
appropriate steps to protect IIS servers.

+ Superfluous Decoding Vulnerability in IIS

A serious vulnerability in Microsoft IIS may allow remote
intruders to execute commands on an IIS web server. This
vulnerability closely resembles a previous vulnerability in
IIS that was widely exploited. The CERT/CC urges IIS
administrators to take action to correct this vulnerability.

CERT Advisory CA-2001-12: Superfluous Decoding
Vulnerability in IIS
http://www.cert.org/advisories/CA-2001-12.html


+ Buffer Overflow Vulnerability in Microsoft IIS 5.0

A vulnerability exists in Microsoft IIS 5.0 running on
Windows 2000 that allows a remote intruder to run arbitrary
code on the victim machine, allowing them to gain complete
administrative control of the machine. A proof-of-concept
exploit is publicly available for this vulnerability, which
increases the urgency that system administrators apply the
patch.

CERT Advisory CA-2001-10: Buffer Overflow
Vulnerability in Microsoft IIS 5.0
http://www.cert.org/advisories/CA-2001-10.html

Additional advice on securing IIS web servers is available from:

Microsoft Technet Security Tools
http://www.microsoft.com/technet/security/tools.asp


3. Exploitation of snmpXdmid

The CERT/CC has received dozens of reports indicating that a
vulnerability in snmpXdmid is being actively exploited.
Exploitation of this vulnerability allows an intruder to gain
privileged (root) access to the system.

CERT Advisory CA-2001-05: Exploitation of snmpXdmid
http://www.cert.org/advisories/CA-2001-05.html


4. Exploitation of BIND Vulnerabilities

On January 29, 2001, the CERT/CC published CERT Advisory
CA-2001-02, detailing multiple vulnerabilities in multiple
versions of ISC BIND nameserver software. Two of the
vulnerabilities described in the advisory are still being actively
exploited by the intruder community to compromise systems.

CERT Incident Note IN-2001-03: Exploitation of BIND
Vulnerabilities
http://www.cert.org/incident_notes/IN-2001-03.html

CERT Advisory CA-2001-02: Multiple Vulnerabilities in
BIND
http://www.cert.org/advisories/CA-2001-02.html


5. The "cheese" Worm

The CERT/CC has observed in public and private reports a recent
pattern of activity surrounding probes to TCP port 10008. We have
obtained an artifact called the "cheese" worm which may contribute
to this pattern.

CERT Incident Note IN-2001-05: The "cheese" Worm
http://www.cert.org/incident_notes/IN-2001-05.html


6. Increase in Reconnaissance Activity

Over the past several weeks, the CERT/CC has observed a
significant increase in network reconnaissance activity. While
some of this traffic may be attributed to the sadmind/IIS worm or
the "cheese" worm, reports indicate active scanning for known
vulnerabilities in other network services as well. In addition, we
have seen a significant increase in the number of generalized port
scans of hosts.

In order to minimize exposure to this activity, the CERT/CC
recommends that sites review and apply vendor-supplied security
patches, disable non-critical network services, and actively
monitor system and network logs for unusual activity.


7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers

A new vulnerability has been identified which is present when
using random increments to constantly increase TCP ISN values over
time. Systems are vulnerable if they have not incorporated RFC
1948 or equivalent improvements, or do not use cryptographically
secure network protocols like IPsec.

CERT Advisory CA-2001-09: Statistical Weaknesses in
TCP/IP Initial Sequence Numbers
http://www.cert.org/advisories/CA-2001-09.html
_________________________________________________________________

Collaboration between the CERT Coordination Center and the Internet Security
Alliance

Using its standard process for collaborating with industry
organizations, the CERT/CC, as part of the SEI, has entered into an
agreement with the Electronic Industries Alliance, a not-for-profit
organization in Virginia, to support the activity of the Internet
Security Alliance (ISA). ISA is a member organization that is focused
on the overall improvement of Internet security.

Internet Security Alliance
http://www.isalliance.org

Frequently Asked Questions (FAQ) about the collaboration
between CERT Coordination Center and the Internet Security
Alliance
http://www.cert.org/faq/certcc_ISA.html
_________________________________________________________________

What's New and Updated

Since the last CERT Summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Incident Notes
http://www.cert.org/incident_notes/
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Annual Reports
http://www.cert.org/annual_rpts/
______________________________________________________________________

This document is available from:
http://www.cert.org/summaries/CS-2001-02.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright ©2001 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOxQFvgYcfu8gsZJZAQGhBwQAnOGWyK2i3snaTskm3SvFycSFQCIhatKI
0+UrWPAX4oR5dYcygJwg23/QSuN2deQuLatfJSRKHW+hYKVgJlHxoBED0CPspkhx
ezU47UcqLFKk2QI3Bt3cG22i28qxjpEOZNn325MfrxJg/q2XdUFZcpqkdian5otJ
Lv+z0JyeV/M=
=I/U5
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    21 Files
  • 27
    Aug 27th
    28 Files
  • 28
    Aug 28th
    15 Files
  • 29
    Aug 29th
    41 Files
  • 30
    Aug 30th
    13 Files
  • 31
    Aug 31st
    467 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close