Date: 20 July 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AL-98.01 AUSCERT Alert
multiscan ('mscan') Tool
20 July 1998
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received reports indicating a recent and substantial
increase in network scanning activity. It is believed that intruders
are using a new tool called 'Multiscan' or 'mscan'. This tool
enables the user to scan whole domains and complete ranges of IP
addresses to discover well-known vulnerabilities.
Information concerning this tool has been made publicly available.
AUSCERT recommends that sites take the steps outlined in section
3 as soon as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
AusCERT has received reports indicating a recent and substantial
increase in network scanning activity. It is believed that
intruders are using a new tool called 'Multiscan' or 'mscan'.
This tool enables the user to scan whole domains and complete
ranges of IP addresses to discover well-known vulnerabilities
in the following services:
statd
nfs
cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test')
X
POP3
IMAP
Domain Name Servers
finger
The 'mscan' documentation mentions the domain 'org.au' as an
example and therefore this domain may be used as a first test
case. Therefore, sites should expect more frequent scans of
this domain.
'mscan' also provides information to the user which may be useful in
hiding their probe attempts against a subnet by bouncing their scans off
hosts identified as running the application 'wingate'.
It is worth noting that mscan can only scan hosts that are
visible on the network. External users can not probe hosts
behind a suitably configured firewall.
2. Impact
'mscan' attempts to detect exploitable vulnerabilities on target
hosts within complete ranges of IP addresses and presents this
information to the user in a report. This information may be
used by an intruder in further attacks against vulnerable hosts.
3. Workarounds/Solution
3.1 Detection
The following events may be indicate that your site has been
probed using 'mscan' or other similar scanning tools. In any
case, this is likely to be a prelude to a subsequent attack:
Evidence of systematic scans of all IP addresses within a
domain or repeated DNS-lookups of all hosts on a subnet.
Evidence of Zone transfers from a domain name server to
unknown/untrusted destinations.
Evidence of systematic probes (from the same IP address/origin)
of the services:
statd
nfs
cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test')
X
POP3
IMAP
Domain Name Servers
finger
The lp account
3.2 Protection
Please note that securing your hosts against the vulnerabilities
tested for by mscan does not necessarily make your hosts secure.
It is imperative that you continue to take all of the usual
security measures, like applying all security patches and
performing regular monitoring activities.
statd:
There are well known problems in certain versions of statd
which are exploitable remotely. See the AusCERT Advisory
at URL:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.29.statd.overflow.vul
nfs:
NFS exported filesystems may allow an intruder to examine,
change or add data to a filesystem on your host remotely.
To deny access to your NFS services from the outside we
encourage you to consider blocking inbound NFS connections
at your router.
For a discussion of security issues concerning NFS see the CERT
advisory at URL:
http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html
cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test'):
Do not install cgi-bin programs on your web server whose
security status is dubious. If you must have cgi-bin
programs, you should check them for security vulnerabilities
before installation.
The AusCERT advisory at the following URL provides useful
information on this topic:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.01.Vulnerability.in.NCSA.Apache.CGI.example.code
X:
If it is not necessary to allow X-windows connections from
outside of your site, then secure open X server ports
(i.e. 6000+ ) against intrusion by blocking inbound traffic at
the router. Sites are encouraged to check their local
documentation for access control mechanisms such as 'xhost'
and 'xauth'.
POP3:
POP servers are a good source of information for intruders and
failed connections are not always logged. Enable logging of
failed POP server access where possible and monitor these logs
for any unusual activity such as multiple failed pop attempts.
Sites should also check that they are not affected by the 'qpopper'
vulnerability, discussed at URL:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.01.qpopper.buffer.overflow.vul
IMAP:
There are well known problems in older versions of IMAP
which are exploitable remotely.
See the following advisories and ensure that you are not
vulnerable to these problems:
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.09.imap_pop
ftp://ftp.auscert.org.au/pub/mirrors/ftp.secnet.com/advisories/SNI-08.IMAP_OVERFLOW.advisory
Also see the URL at:
http://www.cert.org/advisories/CA-97.09.imap_pop.html
Domain Name Servers:
Sites should allow zone transfers only to authorised
name servers. This helps to impede the use of the mscan
tool.
There are also known problems with some versions of BIND.
See the following advisory and ensure that you are not
vulnerable to these problems:
http://www.cert.org/advisories/CA-98.05.bind_problems.html
finger:
To stop unauthorised persons from obtaining personal
information about users on your system, you should to
disable the 'finger' program. Additionally, is to block
outside traffic to the 'finger' service at your firewall.
lp:
The lp account on some systems (notably IRIX) is distributed
without a password, and intruders may be able to use this
for non-authenticated access to a system. The general solution
is to 'lock' all non-password accounts, however this may disable
some key features of your system. See the following CERT advisory
for more information on this topic:
http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html
4. Additional Information
The advisory documents at the following URLs:
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines
may also prove useful in securing your system.
- ---------------------------------------------------------------------------
AusCERT would like to thank the CERT Coordination Centre for reference
material quoted from their Incident Note: IN-98.02.
See the following URL for the content of that document:
http://www.cert.org/incident_notes/IN-98.02.html
- ---------------------------------------------------------------------------
The AusCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to
use the information described is the responsibility of each user
or organisation. The appropriateness of this document for an
organisation or individual system should be considered before
application in conjunction with local policies and procedures.
AusCERT takes no responsibility for the consequences of applying
the contents of this document.
If you believe that your system has been compromised, contact
AUSCERT or your representative in FIRST (Forum of Incident Response
and Security Teams).
AusCERT is located at The University of Queensland within the
Prentice Centre. AusCERT is a full member of the Forum of Incident
Response and Security Teams (FIRST).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AUSCERT Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after
hours for emergencies.
Postal: Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNbSmIih9+71yA2DNAQElIAQAmnNKbnfLj+VZzmGdQ1dNICnUsUnZbkNB
B2AtwSmNKxq2o3+txRJL4BKb/bBgAW5W5UgHBb1pYlHd2+/VGhtQCv2AHqU9O0lu
BbOGtd3NsgWRQkjYxW3eOYHqstY4gafrizRq/qVaxWMyexVaEIK7I9IX4uGwEXwC
v3fdscTg21k=
=K70h
-----END PGP SIGNATURE-----
|