-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Jan Meijer Index : S-99-09 Distribution : World Page : 1 Classification: External Version: 1 Subject : S-99-09 : CERT Summary Date : 26-Feb-99 =============================================================================== By courtesy of CERT Coordination Center we received the following information. CERT Coordination Center advisory CA-99.01:CERT Summary reports the following trends in incidents since the last CERT summary, issued in December 1998 (CS-98.08): 1. Widespread Scans 2. Back Orifice and NetBus 3. Trojan Horse Programs 4. FTP Buffer Overflows CERT-NL recommends to be extra cautious for these specific types of incidents. This advisory is meant to provide you with information about the current trends. Where normally we would only forward you the URL, we thought this information to be of such interest to include the full text here. All CERT Coordination Center advisories and README's are mirrored by CERT-NL. The specific URL for this case is: ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-cc-mirror/cert_summaries/CS-99.01 More information about the CERT-NL mirror and notifier services is contained in News items N-95-01 (notifier) and N-95-02 (CERT mirror), both present on ftp://ftp.surfnet.nl/surfnet/net-security/cert-nl/docs/news/ ============================================================================== CERT Summary CS-99-01 February 23, 1999 The CERT Coordination Center periodically issues the CERT summary to draw attention to the types of attacks currently being reported to our incident response team, as well as to other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last CERT summary, issued in December 1998 (CS-98.08), we have seen these trends in incidents reported to us. 1. Widespread Scans We continue to receive numerous daily reports of intruders using tools to scan networks for multiple vulnerabilities. Intruder scanning tools continue to become more sophisticated. On January 28, 1999, we published an incident note describing a new scanning tool that searches for multiple known vulnerabilities on remote systems. The tool incorporates probes for known vulnerabilities, remote operating system identification, and a scripting language that simplifies automation of probes and exploitation attempts. For more information, see our incident note at http://www.cert.org/incident_notes/IN-99-01.html Reports also indicate that scanning techniques addressed in previous CERT incident notes, such as scripted tools and stealth scanning, are still being employed by intruders. For more information, see + http://www.cert.org/incident_notes/IN-98-06.html + http://www.cert.org/incident_notes/IN-98-05.html + http://www.cert.org/incident_notes/IN-98.04.html + http://www.cert.org/incident_notes/IN-98.02.html The daily reports of widespread scans and exploitation attempts involve many vulnerabilities; however, the most frequent reports involve activity with well-known vulnerabilities in "mountd", "imap", and "pop3" services for which CERT advisories have been published. These services are installed and enabled by default in some operating systems. The scans and exploitation attempts still result in sites being compromised. See the following advisories for more information: + sunrpc (tcp port 111) and mountd (635) http://www.cert.org/advisories/CA-98.12.mountd.html + imap (tcp port 143) http://www.cert.org/advisories/CA-98.09.imapd.html + pop3 (tcp port 110) http://www.cert.org/advisories/CA-98.08.qpopper_vul.html We encourage you to make sure that all systems at your site are up to date with patches and that your machines are properly secured. 2. Back Orifice and NetBus We continue to receive daily reports of incidents involving Windows-based "remote administration" programs such as Back Orifice and NetBus. Occasionally these are reports of compromised machines that have one of these tools installed. However, the majority of these reports involve sites that have detected intruders scanning for the presence of these tools. These scans may appear as unauthorized traffic as follows: + NetBus - connection requests (SYN) packets to TCP ports 12345, 12346, or 20034 + Back Orifice - UDP packets to port 31337 Keep in mind that these tools can be configured to listen on different ports. Because of this, we encourage you to investigate any unexplained network traffic. For more information about Back Orifice, review CERT vulnerability note VN-98.07: http://www.cert.org/vul_notes/VN-98.07.backorifice.html 3. Trojan Horse Programs Over the past few months, we have seen an increase in the number of incident reports related to Trojan horse programs affecting both Windows and UNIX platforms. + CERT advisory CA-99-02 includes descriptions of several recent incidents involving Trojan horse programs, including a false upgrade to Internet Explorer, a Trojan horse version of TCP Wrappers, and a Trojan horse version of util-linux. The advisory also provides advice for system and network administrators, end users, software developers, and distributors. The advisory is available from http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html + CERT advisory CA-99-01, discusses the Trojan horse version of TCP Wrappers in greater detail, and provides information on how to verify the integrity of your TCP Wrappers distribution. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html 4. FTP Buffer Overflows Very recently, we have received a few reports of intruders scanning for and exploiting a remote buffer overflow vulnerability in various FTP servers. By supplying carefully designed commands to the FTP server, intruders can force the server to execute arbitrary commands with root privilege. Intruders can exploit the vulnerability remotely to gain administrative access. We encourage you to review text provided by Netect, Inc. in CERT advisory CA-99-03, which describes the ftpd vulnerability in more detail. The advisory is available from http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use iQCVAwUBNtcQDfE6s6q7Tf4RAQHw5QP/bbQJatJHkyXijHrumNplcybMjw5VOwHN mgc4fQg0nYd12Dl4IjQt8qIUOLHUnQP0MgUVsSsTmrhxwKjTL3DY2WsMu1pwpoyT /AV0BmXBX8Wn0JQiB56wMJLmJtQz0gXpsez+xeQHyWWBHjdwy+kz5LU9gn9SRuQP IcaDtgFuXrY= =EgTG -----END PGP SIGNATURE-----