Date: 27 June 2000
References: ESB-2000.163 ESB-2000.171 ESB-2000.172 ESB-2000.294 ESB-2000.365
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2000.09 -- AUSCERT ALERT
Current widespread intruder activity against ftpd
27 June 2000
===========================================================================
PROBLEM:
AusCERT has received numerous reports of intruders scanning for
the recent wu-ftpd vulnerability within Australia and New
Zealand.
As these attacks are currently widespread and moderately
easy to detect, AusCERT is releasing this information to
alert System Administrators to this activity. Sites are
advised to defend their systems against this vulnerability
and to check if their systems have been compromised.
PLATFORM:
Currently only Unix based platforms which have an unpatched
wu-ftpd 2.6.0 (or earlier) are vulnerable to these attacks.
IMPACT:
Unix systems are being actively attacked and root compromised.
RECOMMENDATIONS:
System Administrators are urged to check their systems for
insecure versions of wu-ftpd as per AusCERT Advisory
AA-2000.02, which is available from:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02
If you suspect that your site may have been compromised, we
encourage you to read:
ftp://ftp.auscert.org.au/pub/cert/tech_tips/intruder_detection_checklist
If your site has been compromised, we encourage you to read:
http://www.auscert.org.au/Information/Auscert_info/Papers/win-UNIX-system_compromise.html
AusCERT is currently monitoring this problem, if you detect your
systems have been compromised please contact AusCERT. We are
currently tracking this incident as AUSCERT#94065. We would
appreciate you using this tracking code in the subject of any
email you send regarding this incident.
- ---------------------------------------------------------------------------
[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOXXWLCh9+71yA2DNAQHj/AP/aZGAw8ugC3WFa6iCsj/EPcX+B2CXeTdP
kO7rkH2snUh+vq5CpBC9Dz+hTS65XZPIqCWrHjNFCyNQk+RZEfKWxZPQ2DteLerV
R4QM/Uhc8htF4TlMT3YdI2Z0uqAqDAP9McgDUk3dmaz+NOcrr/2zWgzYxD0mkm/x
JQzvaaK37kA=
=Sbk8
-----END PGP SIGNATURE-----
|