copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» ESB-1999.177 -- CERT Summary CS-99-04 -- CERT Summary
ESB-1999.177 -- CERT Summary CS-99-04 -- CERT Summary
Date:
24 November 1999
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-1999.177 -- CERT Summary CS-99-04 CERT Summary 24 November 1999 =========================================================================== The CERT Coordination Centre has released the following summary concerning types of attacks currently being reported. AusCERT has noted similar trends reported within Australia and New Zealand. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Summary CS-99-04 November 23, 1999 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________ Reminder: New CERT/CC PGP Key On October 4, 1999, the PGP key for the CERT/CC was replaced with a new PGP key. For more information, see http://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ "CERT/CC Current Activity" Web Page The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. It is available from http://www.cert.org/current/current_activity.html The information on the Current Activity page will be reviewed and updated as reporting trends change. ______________________________________________________________________ Year 2000 (Y2K) Information The CERT/CC has published information regarding the Y2K problem: Y2K Information http://www.cert.org/y2k-info/ ______________________________________________________________________ Recent Activity Since the last CERT summary, issued in August 1999 (CS-99-03), we have published advisories on WU-FTPD, BIND, CDE, and AMD. We have also analyzed and published information regarding distributed intruder tools. Among other activity, we continue to see widespread scans for known vulnerabilities. 1. Distributed Intruder Tools Denial of Service We have received reports of intruders compromising machines in order to install distributed systems used for launching packet flooding denial-of-service attacks. The systems typically contain a small number of servers and a large number of clients. These reports indicate that machines participating in such distributed systems are likely to have been root compromised. You can find more information in CERT Incident Note 99-07 http://www.cert.org/incident_notes/IN-99-07.html Sniffer We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. As of this summary, the sniffer clients have been found exclusively on compromised Linux hosts. For more information please see CERT Incident Note 99-06 http://www.cert.org/incident_notes/IN-99-06.html 2. CDE Vulnerabilities Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE). These vulnerabilities are different from those discussed in CA-98.02 and can lead to intruders gaining root access on vulnerable systems. For more information please see CERT Advisory CA-99-11 http://www.cert.org/advisories/CA-99-1-CDE.html 3. BIND Vulnerabilities Several vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers. The others can severely disrupt the operation of the name server. For more information, please see CERT Advisory CA-99-14 http://www.cert.org/advisories/CA-99-14-bind.html 4. WU-FTPD Vulnerabilities Three vulnerabilities have been identified in WU-FTPD and other ftp daemons based on the WU-FTPD source code. WU-FTPD is a common package used to provide File Transfer Protocol (FTP) services. Remote and local intruders may be able to exploit these vulnerabilities to execute arbitrary code as the user running the ftp daemon (usually root). Incidents involving the first of these three vulnerabilities have been reported to the CERT Coordination Center. For more information please see CERT Advisory CA-99-13 http://www.cert.org/advisories/CA-99-13-wuftpd.html 5. AMD Vulnerabilities There is a buffer overflow vulnerability in the logging facility of the amd daemon. This daemon automatically mounts file systems in response to attempts to access files that reside on those file systems. Remote intruders can exploit this vulnerability to execute arbitrary code as the user running the amd daemon (usually root). For more information see CERT Advisory CA-99-12 http://www.cert.org/advisories/CA-99-12-amd.html We have received reports regarding exploits of this vulnerability. For more information please see CERT Incident Note 99-05 http://www.cert.org/incident_notes/IN-99-05.html 6. RPC Vulnerabilities We continue to receive reports of exploitations involving three RPC vulnerabilities: rpc.cmsd, ttdbserverd, and statd/automountd. These exploitations can lead to root compromise on systems that implement vulnerable RPC services. Analysis has shown that similar artifacts have been found on compromised systems. For more information on the vulnerabilities please see CERT Incident Note 99-04 http://www.cert.org/incident_notes/IN-99-04.html CERT Advisory CA-99-08 http://www.cert.org/advisories/CA-99-08-cmsd.html CERT Advisory CA-99-05 http://www.cert.org/advisories/CA-99-05-statd-automountd.html CERT Advisory CA-98-11 http://www.cert.org/advisories/CA-98.11.tooltalk.html 7. Virus and Trojan Horse Activity We continue to see reports of virus activity. Current versions of anti-virus software can help to protect your systems from these viruses. It is important to take great caution with any email or Usenet attachments that contain executable content. If you receive a message containing attachments, scan the message file with anti-virus software before you open or run the file. Doing this does not guarantee that the contents of the file are safe, but it lowers your risk of virus infection by checking for viruses and Trojan horses that your scanning software can detect. CERT/CC has published a Virus Resources page that includes information on Frequently Asked Questions (FAQs) about Computer Viruses Hoax and Chain Letter Databases Virus Databases Virus Organizations and Publications Anti-Virus Vendors Virus Related Papers Please see Virus Resources http://www.cert.org/other_sources/viruses.html 8. Continued Widespread Scans We continue to receive reports of scanning and probing activity. The most frequent reports tend to involve services that have well-known vulnerabilities. Hosts continue to be affected by exploitation of well-known vulnerabilities in these services. sunrpc (TCP port 111) and mountd (635) http://www.cert.org/advisories/CA-98.12.mountd.html http://www.cert.org/incident_notes/IN-99-04.html IMAP (TCP port 143) http://www.cert.org/advisories/CA-98.09.imapd.html POP3 (TCP port 110) http://www.cert.org/advisories/CA-98.08.qpopper_vul.html DNS (TCP port 53 [domain]) http://www.cert.org/advisories/CA-98.05.bind_problems.html http://www.cert.org/advisories/CA-97.22.bind.html ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have developed new and updated * Advisories * CERT statistics * Incident notes * Tech tips/FAQs * Y2K information There are descriptions of these documents and links to them on our "What's New" web page at http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-99-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. - -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA+AwUBODsBglr9kb5qlZHQEQIvZACbBrc75HYvuxT/JZDa778JBH3eWcAAlR1S AFgkAYyLg3U8XXq5dhCRR0g= =Oqqs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOEJrwih9+71yA2DNAQF/oQP/VYSFZ5E9423e3Ni5Yp0c/e8CMVR6rPNa EciI3EgRMIUUZcSritwN3hNyvJM2Y+UNc4TASoeDeUMSI9t9Nnnwje1rgK7IsvZ6 R2DCT0dGXy44I3lfU4dY9zHjnhHlgvauoKLy4+5Gv4p0ulr8hEprwQgcAxVcnVrb u6UyZry1N+c= =H7lD -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=679