-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Egon Verharen Index : S-98-50 Distribution : World Page : 1 Classification: External Version: 1 Subject : multiscan ('mscan') Tool Date : 29-Jul-98 =============================================================================== By courtesy of AUSCERT we received a security alert on the multiscan ('mscan') Tool. CERT-NL recommends that sites take the steps outlined in section 3 as soon as possible. CERT-NL issued a semi-official alert on this topic before ("CERT-NL: Multi scans", author: Teun Nijssen, date: 20 july 1998). A security advisory on this topic has also been issued by CIAC: I-073: multiscan ('mscan') Tool ( http://ciac.llnl.gov/ciac/bulletins/i-073.shtml ) Besides these advisories also JANET-CERT and CERT-CC provide extensive information on the mscan attack tool: http://www.ja.net/CERT/JANET CERT/mscan.html http://www.cert.org/incident_notes/IN-98.02.html =========================================================================== AL-98.01 AUSCERT Alert multiscan ('mscan') Tool 20 July 1998 Last Revised: -- - - --------------------------------------------------------------------------- AusCERT has received reports indicating a recent and substantial increase in network scanning activity. It is believed that intruders are using a new tool called 'Multiscan' or 'mscan'. This tool enables the user to scan whole domains and complete ranges of IP addresses to discover well-known vulnerabilities. Information concerning this tool has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - - --------------------------------------------------------------------------- 1. Description AusCERT has received reports indicating a recent and substantial increase in network scanning activity. It is believed that intruders are using a new tool called 'Multiscan' or 'mscan'. This tool enables the user to scan whole domains and complete ranges of IP addresses to discover well-known vulnerabilities in the following services: statd nfs cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test') X POP3 IMAP Domain Name Servers finger The 'mscan' documentation mentions the domain 'org.au' as an example and therefore this domain may be used as a first test case. Therefore, sites should expect more frequent scans of this domain. 'mscan' also provides information to the user which may be useful in hiding their probe attempts against a subnet by bouncing their scans off hosts identified as running the application 'wingate'. It is worth noting that mscan can only scan hosts that are visible on the network. External users can not probe hosts behind a suitably configured firewall. 2. Impact 'mscan' attempts to detect exploitable vulnerabilities on target hosts within complete ranges of IP addresses and presents this information to the user in a report. This information may be used by an intruder in further attacks against vulnerable hosts. 3. Workarounds/Solution 3.1 Detection The following events may be indicate that your site has been probed using 'mscan' or other similar scanning tools. In any case, this is likely to be a prelude to a subsequent attack: Evidence of systematic scans of all IP addresses within a domain or repeated DNS-lookups of all hosts on a subnet. Evidence of Zone transfers from a domain name server to unknown/untrusted destinations. Evidence of systematic probes (from the same IP address/origin) of the services: statd nfs cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test') X POP3 IMAP Domain Name Servers finger The lp account 3.2 Protection Please note that securing your hosts against the vulnerabilities tested for by mscan does not necessarily make your hosts secure. It is imperative that you continue to take all of the usual security measures, like applying all security patches and performing regular monitoring activities. statd: There are well known problems in certain versions of statd which are exploitable remotely. See the AusCERT Advisory at URL: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA 97.29.statd.overflow.vul nfs: NFS exported filesystems may allow an intruder to examine, change or add data to a filesystem on your host remotely. To deny access to your NFS services from the outside we encourage you to consider blocking inbound NFS connections at your router. For a discussion of security issues concerning NFS see the CERT advisory at URL: http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test'): Do not install cgi-bin programs on your web server whose security status is dubious. If you must have cgi-bin programs, you should check them for security vulnerabilities before installation. The AusCERT advisory at the following URL provides useful information on this topic: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA 96.01.Vulnerability.in.NCSA.Apache.CGI.example.code X: If it is not necessary to allow X-windows connections from outside of your site, then secure open X server ports (i.e. 6000+ ) against intrusion by blocking inbound traffic at the router. Sites are encouraged to check their local documentation for access control mechanisms such as 'xhost' and 'xauth'. POP3: POP servers are a good source of information for intruders and failed connections are not always logged. Enable logging of failed POP server access where possible and monitor these logs for any unusual activity such as multiple failed pop attempts. Sites should also check that they are not affected by the 'qpopper' vulnerability, discussed at URL: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA 98.01.qpopper.buffer.overflow.vul IMAP: There are well known problems in older versions of IMAP which are exploitable remotely. See the following advisories and ensure that you are not vulnerable to these problems: ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.09.imap_pop ftp://ftp.auscert.org.au/pub/mirrors/ftp.secnet.com/advisories/SNI 08.IMAP_OVERFLOW.advisory Also see the URL at: http://www.cert.org/advisories/CA-97.09.imap_pop.html Domain Name Servers: Sites should allow zone transfers only to authorised name servers. This helps to impede the use of the mscan tool. There are also known problems with some versions of BIND. See the following advisory and ensure that you are not vulnerable to these problems: http://www.cert.org/advisories/CA-98.05.bind_problems.html finger: To stop unauthorised persons from obtaining personal information about users on your system, you should to disable the 'finger' program. Additionally, is to block outside traffic to the 'finger' service at your firewall. lp: The lp account on some systems (notably IRIX) is distributed without a password, and intruders may be able to use this for non-authenticated access to a system. The general solution is to 'lock' all non-password accounts, however this may disable some key features of your system. See the following CERT advisory for more information on this topic: http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html 4. Additional Information The advisory documents at the following URLs: ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines may also prove useful in securing your system. - - --------------------------------------------------------------------------- AusCERT would like to thank the CERT Coordination Centre for reference material quoted from their Incident Note: IN-98.02. See the following URL for the content of that document: http://www.cert.org/incident_notes/IN-98.02.html - - --------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5 iQCVAwUBNb5DRVpSTqmIRWKVAQGp1QP/UZCTI64gO9I/1aVaPD6mo6PAICGJYrM+ YiGOA0WpFCNthMC5tVp0LdeZmQhMTPoaZl5GQn6LbucHKl5wZQenbGGWSnQE/In8 olcoyn0LJmCzbT0xMu8Yxvvj3Mr8l++2VkAfxvIJ0FNqEhWHCwLLbeoIxV7M1+Zm p4B3RZO6ERc= =a0nS -----END PGP SIGNATURE-----