-----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT(*) Summary CS-96.02 March 26, 1996 Last Revised: October 2, 1997 Updated copyright statement The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our strategic incident response staff. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- In the two months since the last CERT Summary, we have continued to receive reports about the same types of activities that were described in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In addition, we have seen an increase in the number of reports relating to software piracy, many of which involve intruders taking advantage of systems with poorly configured anonymous FTP areas. If you haven't done so already, the CERT staff urges you to immediately take the steps described in the advisories listed below. Note that it is important to periodically recheck these files, as they can contain updated information that we receive after an advisory is published. The majority of the incidents reported to our incident response staff during the last two months fit into one (or more) of these seven categories: 1. Root compromise on systems that are unpatched or running old OS versions. We receive daily reports of systems that have been compromised by intruders who have gained unauthorized access to root or other privileged accounts by exploiting widely known security vulnerabilities on systems that did not have appropriate patches installed (and/or systems that were running old [unpatched] versions of the operating system). We encourage everyone to check with their vendor(s) regularly for updates or new patches that relate to their systems, and install security-related patches as soon as they are available. For a list of additional suggestions on recovering from a UNIX root compromise, see ftp://info.cert.org/pub/tech_tips/root_compromise 2. Compromised user-level accounts that are leveraged to gain further access. We receive daily reports of compromised accounts that have been used to launch attacks against other sites, and/or have been used to gain privileged access on vulnerable systems. We encourage you to check your systems regularly (in accordance with your site policies and guidelines) for any signs of unauthorized accesses or suspicious activity. For a list of suggestions on how to determine whether your system may have been compromised, see ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist 3. Packet sniffers and Trojan horse programs We continue to receive almost daily incident reports about intruders who have installed packet sniffers on root-compromised systems. These sniffers, used to collect account names and passwords, are frequently installed as part of a widely-available kit that also replaces common system files with Trojan horse programs. The Trojan horse binaries (du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders' files and sniffer activity on the system on which they are installed. For further information and methods for detecting packet sniffers and Trojan horse binaries, see the following files: ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums 4. IP spoofing attacks We continue to receive several reports each week of IP spoofing attacks. Intruders attack by using automated tools that are becoming widespread on the Internet. Some sites incorrectly believed that they were blocking such spoofed packets, and others planned to block them but hadn't yet done so. For further information on this type of attack and how to prevent it, see ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing 5. Software piracy We receive new reports each week about compromised accounts and/or poorly configured anonymous FTP servers that are being used for exchanging pirated software. While the compromised accounts should be addressed as a separate security issue (see item 2, above), the abuse of anonymous FTP areas for software piracy activities can be reduced if the anonymous FTP service is correctly configured and administered. For related information and guidelines for configuring anonymous FTP, see ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity 6. Sendmail attacks We still receive new reports each week about intruders attempting to exploit vulnerabilities in the sendmail program mailer facility. Unfortunately, some of these attacks have been successful against sites that are running old versions of sendmail and/or are not restricting the sendmail program mailer facility. Sendmail's program mailer facility can be restricted by using the sendmail restricted shell program (smrsh). Information on known sendmail vulnerabilities and the smrsh tool can be obtained from ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul The smrsh program can be obtained from: ftp://info.cert.org/pub/tools/smrsh/ smrsh is also included in the sendmail 8.7.5 distribution. 7. NFS and NIS attacks, and automated tools to scan for vulnerabilities We receive weekly reports of intruders using automated tools to scan sites for hosts that may be vulnerable to NFS and NIS attacks. Intruders are continuing to exploit the rpc.ypupdated vulnerability to gain root access, and intruders are still exploiting widely known vulnerabilities in NFS to gain root access. For related information, see ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability What's New at the CERT Coordination Center - ------------------------------------------ The CERT Coordination Center has a new Web site. It includes information on Internet security and has a link to the CERT FTP archive. http://www.cert.org What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (January 23, 1996). * New Additions ftp://info.cert.org/pub incident_reporting_form v.3 (replaced v.2 with v.3) ftp://info.cert.org/pub/cert_advisories CA-96.01.UDP_service_denial CA-96.02.bind CA-96.03.kerberos_4_key_server CA-96.04.corrupt_info_from_servers CA-96.05.java_applet_security_mgr CA-96.06.cgi_example_code ftp://info.cert.org/pub/cert_bulletins VB-96.01.splitvt VB-96.02.sgi VB-96.03.sun VB-96.04.bsdi ftp://info.cert.org/pub/FIRST conference.info ftp://info.cert.org/pub/tech_tips root_compromise ftp://info.cert.org/pub/tools /cpm/* (replaced older version with v.1.2) /sendmail/sendmail.8.7.5 (replaced older version) /tcp_wrappers/tcp_wrappers_7.3 (replaced older version) /sendmail/smrsh/* (replaced older vsersion with v.8.4) ftp://info.cert.org/pub/vendors /sgi/SGI_contact_info * Updated Files ftp://info.cert.org/pub cert_faq (version 10.2) ftp://info.cert.org/pub/cert_advisories CA-94:01 (added info about cpm v.1.2) CA-95:13 (added info from sendmail author and Cray; added info from HP and Sun) CA-95:14 (added info from NEC Corp and Silicon Graphics) CA-95:17 (added info from IBM) CA-96.01 (new URL for Argus; added info from Silicon Graphics) CA-96.02 (added info from IBM, Solbourne, and Silicon Graphics) CA-96.03 (added new checksums and patch info; added info from Transarc and TGV Software, Inc.) CA-96.04 (added info from Silicon Graphics) CA-96.05 (added pointer to Netscape 2.01) rdist-patch-status (added pointer to version 6.1.2) ftp://info.cert.org/pub/vendors /hp/HP.contact.info - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA URLs: http://www.cert.org/ ftp://info.cert.org/pub/ To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - ------------------------------------------------------------------------------ Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History: Oct 02, 1997 Updated copyright history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNDgBu3VP+x0t4w7BAQHFWAP/QZcwNcns6hCjIDGCEWkfFroKHHz8cTde 1zvRmofoLBGJ/Q1y7mo7YHmOUqUPPmOnouYaq+GqdqteuWCZt5pqvB4OokclR14k 9Bg1IvuRY/M5m1CncFjHMdpG8AbikDAaWraJyqrnC7V0Hx2I3w2FLi2CFwU7crdA PUgAAStZaoM= =htbT -----END PGP SIGNATURE-----