-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Teun Nijssen) Index : S-93-20 Distribution : World Page : 1 Classification: External Version: Final Subject : Internet Security Scanner Date : 01-Oct-93 ============================================================================== CERT-NL attends its constituency on the public release of the Internet Security Scanner, posted to comp.sources.misc on 29-Sep-1993. Within hours of its appearance on Netnews, Internet domains were being scanned for weaknesses by potential hackers. Site Security Contacts not able to retrieve the sources of this tool, can ask cert-nl@surfnet.nl for copies. The following text is taken verbatim from the advisory of CIAC one of CERT-NL's sister organisations in the USA. _________________________________________________________________________ PROBLEM: Automated attacks on networked computers. PLATFORM: All systems supporting TCP/IP networking. DAMAGE: Unauthorized access to information and computer resources. SOLUTION: Examine machines for vulnerabilities detailed below and apply fixes as needed. __________________________________________________________________________ Critical Information about Automated Network Scanning Software CIAC has learned that software allowing automated scanning of networked computers for security vulnerabilities was recently made publicly available on the Internet. The software package, known as ISS or Internet Security Scanner, will interrogate all computers within a specified IP address range, determining the security posture of each with respect to several common system vulnerabilities. The software was designed as a security tool for system and network administrators. However, given its wide distribution and ability to scan remote networks, CIAC feels that it is likely ISS will also be used to locate vulnerable hosts for malicious reasons. While none of the vulnerabilities ISS checks for are new, their aggregation into a widely available automated tool represents a higher level of threat to networked machines. CIAC has analyzed the operation of the program and strongly recommends that administrators take this opportunity to re-examine systems for the vulnerabilities described below. Also detailed below are available security tools that may assist in the detection and prevention of malicious use of ISS. Finally, common symptoms of an ISS attack are outlined to allow detection of malicious use. ISS Vulnerabilities - ------------------- The following vulnerabilities are tested for by the ISS tool. Administrators should verify the state of their systems and perform corrective actions as indicated. Default Accounts The accounts "guest" and "bbs", if they exist, should have non-trivial passwords. If login access to these accounts is not needed, they should be disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. See the system manual entry for "passwd" for more information on changing passwords and disabling accounts. For example, the /etc/passwd entry for a disabled guest account should resemble the following: guest:*:2311:50:Guest User:/home/guest:/bin/false lp Account The account "lp", if it exists, should not allow logins. It should be disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. Decode Alias Mail aliases for decode and uudecode should be disabled on UNIX systems. If the file /etc/aliases contains entries for these programs, they should be disabled by placing a "#" at the beginning of the line and then executing the command "newaliases". Consult the manual page for "aliases" for more information on UNIX mail aliases. A disabled decode alias should appear as follows: # decode: "|/usr/bin/uudecode" Sendmail The sendmail commands "wiz" and "debug" should be disabled. This may be verified by executing the following commands: % telnet hostname 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT wiz You wascal wabbit! Wandering wizards won't win! (or 500 Command unrecognized) quit % telnet hostname 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT debug 500 Command unrecognized quit If the "wiz" command returns "Please pass, oh mighty wizard", your system is vulnerable to attack. The command should be disabled by adding a line to the sendmail.cf configuration file containing the string: OW* If the "debug" command responds with the string "200 Debug set", you should immediately obtain a newer version of sendmail software from your vendor. Anonymous FTP Anonymous FTP allows users without accounts to have restricted access to certain directories on the system. The availability of anonymous FTP on a given system may be determined by executing the following commands: % ftp hostname Connected to hostname. 220 host FTP server ready. Name (localhost:jdoe): anonymous 530 User anonymous unknown. Login failed. The above results indicate that anonymous FTP is not enabled. If the system instead replies with the string "331 Guest login ok" and then prompts for a password, anonymous FTP access is enabled. The configuration of systems allowing anonymous FTP should be checked carefully, as improperly configured FTP servers are frequently attacked. Refer to CIAC Bulletin D-19 for more information. NIS SunOS 4.x machines using NIS are vulnerable unless the patch 100482 has been installed. See CIAC Bulletin C-25 for more information regarding this patch. NFS Filesystems exported under NFS should be mountable only by a restricted set of hosts. The UNIX "showmount" command will display the filesystems exported by a given host: % /usr/etc/showmount -e hostname export list for hostname: /usr hosta:hostb:hostc /usr/local (everyone) The above output indicates that this NFS server is exporting two partitions: /usr, which can be mounted by hosta, hostb, and hostc; and /usr/local which can be mounted by anyone. In this case, access to the /usr/local partition should be restricted. Consult the system manual entry for "exports" or "NFS" for more information. rusers The UNIX rusers command displays information about accounts currently active on a remote system. This may provide an attacker with account names or other information useful in mounting an attack. To check for the availability of rusers information on a particular machine, execute the following command: % rusers -l hostname hostname: RPC: Program not registered If the above example had instead generated a list of user names and login information, a rusers server is running on the host. The server may be disabled by placing a "#" at the beginning of the appropriate line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. For example, a disabled rusers entry might appear as follows: #rusersd/2 dgram rpc/udp wait root /usr/etc/rusersd rusersd rexd The UNIX remote execution server rexd provides only minimal authentication and is easily subverted. It should be disabled by placing a "#" at the beginning of the rexd line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. The disabled entry should resemble the following: #rexd/1 stream rpc/tcp wait root /usr/etc/rexd rexd Available Tools - --------------- There are several available security tools that may be used to prevent or detect malicious use of ISS. They include the following: SPI SPI, the Security Profile Inspector, will detect the system vulnerabilities described above, as well as many others. U.S. Government agencies interested in obtaining SPI should send E-mail to spi@cheetah.llnl.gov or call (510) 422-3881 for more information. COPS The COPS security tool will also detect the vulnerabilities described above. It is available via anonymous FTP from ftp.cert.org in the directory /pub/tools/cops/1.04. ISS Running ISS on your systems will provide you with the same information an attacker would obtain, allowing you to correct vulnerabilities before they can be exploited. Note that the current version of the software is known to function poorly on some operating systems. If you should have difficulty using the software, please contact CIAC for assistance. ISS may be obtained via anonymous FTP from ftp.uu.net in the directory /usenet/comp.sources.misc/volume39/iss. TCP Wrappers Access to most UNIX network services can be more closely controlled using software known as a TCP wrapper. The wrapper provides additional access control and flexible logging features that may assist in both the prevention and detection of network attacks. This software is available via anonymous FTP from ftp.win.tue.nl in the file /pub/security/tcp_wrappers_6.0.shar.Z Detecting an ISS Attack - ----------------------- Given the wide distribution of the ISS tool, CIAC feels that remote attacks are likely to occur. Such attacks can cause system warnings to be generated that may prove useful in tracking down the source of the attack. The most probable indicator of an ISS attack is a mail message sent to "postmaster" on the scanned system similar to the following: From: Mailer-Daemon@hostname (Mail Delivery Subsystem) Subject: Returned mail: Unable to deliver mail Message-Id: <9309291633.AB04591@> To: Postmaster@hostname ----- Transcript of session follows ----- <<< VRFY guest 550 guest... User unknown <<< VRFY decode 550 decode... User unknown <<< VRFY bbs 550 bbs... User unknown <<< VRFY lp 550 lp... User unknown <<< VRFY uudecode 550 uudecode... User unknown <<< wiz 500 Command unrecognized <<< debug 500 Command unrecognized 421 Lost input channel to remote.machine ----- No message was collected ----- If you should receive such a message, it is likely that your machine and others on your network have been scanned for vulnerabilities. You should immediately contact your computer security officer for assistance in assessing the damage and taking corrective action. - --------------------------------------------------------------------------- CERT-NL thanks CIAC for sharing this information with its FIRST partners and advises its constituency to check their own domains for weaknesses with this tools. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6WCTSYjBqwfc9jEQLdUgCghqOrBaOPh/I5QXXxBzQ0llNuVycAnReV f4LdLtAy2LW0LwtDZeZ1w8hz =Shsi -----END PGP SIGNATURE-----