exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted May 30, 2001
Site cert.org

CERT Quarterly Summary for May, 2001. Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms, and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders.

tags | worm, vulnerability
SHA-256 | 4a4c69c74f9f9dfbf99e62d106c6b336a191d5792a093ca4b01aa1079a25f3c2


Change Mirror Download


CERT Summary CS-2001-02

May 29, 2001

Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.

Past CERT summaries are available from:

CERT Summaries

Recent Activity

Since the last regularly scheduled CERT summary, issued in February
2001 (CS-2001-01), we have seen a significant increase in
reconnaissance activity, a number of self-propagating worms, and
active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by

For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.

CERT/CC Current Activity

1. sadmind/IIS Worm

The CERT/CC has received reports from more than 400 sites affected
by a piece of self-propagating malicious code (referred to here as
the sadmind/IIS worm). This worm uses two well-known
vulnerabilities to compromise Solaris systems and deface web pages
running on IIS servers. Reports indicate more than 500 Solaris
machines have been compromised by the sadmind/IIS worm and more
than 6000 IIS servers have been defaced. Sites running either
Solaris or IIS are strongly encouraged to review CA-2001-11 and
those running IIS should review the advisories listed below in the
"Other Recent IIS Security Issues" section as well.

CERT Advisory CA-2001-11: sadmind/IIS Worm

2. Other Recent IIS Security Issues

The CERT/CC has recently published information on two new
vulnerabilities in IIS. Given the current level of exploitation of
IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly
encourages sites to review the following advisories and take
appropriate steps to protect IIS servers.

+ Superfluous Decoding Vulnerability in IIS

A serious vulnerability in Microsoft IIS may allow remote
intruders to execute commands on an IIS web server. This
vulnerability closely resembles a previous vulnerability in
IIS that was widely exploited. The CERT/CC urges IIS
administrators to take action to correct this vulnerability.

CERT Advisory CA-2001-12: Superfluous Decoding
Vulnerability in IIS

+ Buffer Overflow Vulnerability in Microsoft IIS 5.0

A vulnerability exists in Microsoft IIS 5.0 running on
Windows 2000 that allows a remote intruder to run arbitrary
code on the victim machine, allowing them to gain complete
administrative control of the machine. A proof-of-concept
exploit is publicly available for this vulnerability, which
increases the urgency that system administrators apply the

CERT Advisory CA-2001-10: Buffer Overflow
Vulnerability in Microsoft IIS 5.0

Additional advice on securing IIS web servers is available from:

Microsoft Technet Security Tools

3. Exploitation of snmpXdmid

The CERT/CC has received dozens of reports indicating that a
vulnerability in snmpXdmid is being actively exploited.
Exploitation of this vulnerability allows an intruder to gain
privileged (root) access to the system.

CERT Advisory CA-2001-05: Exploitation of snmpXdmid

4. Exploitation of BIND Vulnerabilities

On January 29, 2001, the CERT/CC published CERT Advisory
CA-2001-02, detailing multiple vulnerabilities in multiple
versions of ISC BIND nameserver software. Two of the
vulnerabilities described in the advisory are still being actively
exploited by the intruder community to compromise systems.

CERT Incident Note IN-2001-03: Exploitation of BIND

CERT Advisory CA-2001-02: Multiple Vulnerabilities in

5. The "cheese" Worm

The CERT/CC has observed in public and private reports a recent
pattern of activity surrounding probes to TCP port 10008. We have
obtained an artifact called the "cheese" worm which may contribute
to this pattern.

CERT Incident Note IN-2001-05: The "cheese" Worm

6. Increase in Reconnaissance Activity

Over the past several weeks, the CERT/CC has observed a
significant increase in network reconnaissance activity. While
some of this traffic may be attributed to the sadmind/IIS worm or
the "cheese" worm, reports indicate active scanning for known
vulnerabilities in other network services as well. In addition, we
have seen a significant increase in the number of generalized port
scans of hosts.

In order to minimize exposure to this activity, the CERT/CC
recommends that sites review and apply vendor-supplied security
patches, disable non-critical network services, and actively
monitor system and network logs for unusual activity.

7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers

A new vulnerability has been identified which is present when
using random increments to constantly increase TCP ISN values over
time. Systems are vulnerable if they have not incorporated RFC
1948 or equivalent improvements, or do not use cryptographically
secure network protocols like IPsec.

CERT Advisory CA-2001-09: Statistical Weaknesses in
TCP/IP Initial Sequence Numbers

Collaboration between the CERT Coordination Center and the Internet Security

Using its standard process for collaborating with industry
organizations, the CERT/CC, as part of the SEI, has entered into an
agreement with the Electronic Industries Alliance, a not-for-profit
organization in Virginia, to support the activity of the Internet
Security Alliance (ISA). ISA is a member organization that is focused
on the overall improvement of Internet security.

Internet Security Alliance

Frequently Asked Questions (FAQ) about the collaboration
between CERT Coordination Center and the Internet Security

What's New and Updated

Since the last CERT Summary, we have published new and updated
* Advisories
* Incident Notes
* CERT/CC Statistics
* Annual Reports

This document is available from:

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from


If you prefer to use DES, please call the CERT hotline for more

Getting security information

CERT publications and other security information are available from
our web site


To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.

Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright ©2001 Carnegie Mellon University.

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By