******************************************************************************
             ------               -----   -----  ---     -----
             |      ----- ----   |          |    |  |   |
             |---   |     |   |  |          |    |  |   |
             |      |--   |   |  |          |    |--    |
             |      |     |   |  |          |    | \    |
             |      ----- ----    -----   -----  |  \    -----

                               A D V I S O R Y

				  FA-98.43
******************************************************************************
Topic: CERT* Summary CS-98.06
Source: CERT/CC

Creation Date: June 11, 1998
Last Updated: 


To aid in the wide distribution of essential security information,
FedCIRC is forwarding the following information from CERT/CC summary
CS-98.06. FedCIRC urges you to act on this information as soon as
possible.

If you have any questions, please contact FedCIRC:

        Telephone:      +1 888 282 0870
        Email:          fedcirc@fedcirc.gov



=======================FORWARDED TEXT STARTS HERE============================


-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT* Summary CS-98.06
June 11, 1998

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
incident response team. The summary includes pointers to sources of
information for dealing with the problems.

Past CERT Summaries are available from
        http://www.cert.org/summaries/
        ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity
- ---------------
Since the last regularly scheduled CERT Summary issued in March 1998
(CS-98.03), we have seen these trends in incidents reported to us.

1. Multiple Vulnerabilities in BIND

   In two previous special edition CERT Summaries, CS-98.04 and CS-98.05, we
   discussed several attack methods being used to exploit
   vulnerabilities in BIND. CS-98.04 and CS-98.05 are available from

        http://www.cert.org/summaries/CS-98.04.html
        http://www.cert.org/summaries/CS-98.05.html

   We have observed several changes to the methods of attack used to
   exploit the BIND vulnerabilities. Exploitation of these
   vulnerabilities might allow a remote intruder to gain privileged
   (root) access on your domain name server or to disrupt normal
   operation of your domain name server.

   Although the methods of attack are being modified, these attacks
   are still exploiting vulnerabilities described in CERT advisory
   CA-98.05. We encourage you to review this advisory, which describes
   the BIND buffer overflow vulnerability, and to apply the
   appropriate patches if you have not done so already. The advisory
   is available at

        http://www.cert.org/advisories/CA-98.05.bind_problems.html


2. Scans to Port 1/tcpmux and unpassworded SGI accounts

   Over the past month we have received reports of widespread scans to
   TCP port 1. The service assigned to TCP port 1 is tcpmux. For more
   information, see RFC#1078, which is available at

        ftp://ftp.isi.edu/in-notes/rfc1078.txt

   We know that some of the scans originated from sites that had root
   compromises. From a site that was used to launch these scans, we
   were able to obtain files that indicate that the intruder was
   scanning for IRIX machines.

   By default, IRIX systems have tcpmux enabled. Once the intruder
   found a number of machines with a service running on port 1/tcpmux,
   the intruder then used another automated tool to telnet to each of
   these machines and attempt to log in as guest, lp, and demos.

   We have been in communication with SGI about this issue. At this
   time there does not appear to be any vulnerability in the SGI
   implementation of tcpmux or any service provided through tcpmux.

   IRIX Root Compromises

   In addition to the above incidents, we have noticed an increase in
   the number of reports of IRIX root compromises over the past
   month. We have also received numerous independent reports of
   widespread failed login attempts to lp, guest, demos, OutOfBox, and
   EZsetup accounts.

   IRIX machines ship by default with unpassworded accounts. As of
   IRIX 6.3 there is a security tool to easily disable or add
   passwords to these accounts at installation time. Please refer to
   the following advisories for more information about this issue:

        ftp://sgigate.sgi.com/security/19951002-01-I
        http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html

   We strongly encourage you to ensure that the full set of security
   patches for each of your systems is applied. This is a major step
   in defending your systems from attack; its importance cannot be
   overstated.

   We encourage you to check with your vendor regularly for any
   updates or new patches that relate to your systems. We also
   encourage you to ensure that you are up to date with patches and
   workarounds referenced in CERT advisories.

   IRIX patches are available from

        http://www.sgi.com/Support/security/security.html

   If your IRIX machine has unpassworded accounts, then in addition to
   disabling (or adding password protection to) accounts which do not
   have passwords, we encourage you to inspect your system for signs
   of intrusion. For instructions on how to do this, please refer to
   the "Recovering from an Incident" web page, available from

        http://www.cert.org/nav/recovering.html


3. Root Compromises

   We continue to receive daily reports of sites that have suffered a
   root compromise. Many of these compromises can be traced to systems
   that are unpatched or misconfigured, which the intruders exploit
   using well-known vulnerabilities for which CERT advisories have
   been published.

   We encourage you to check for signs of compromise. The following
   documents can help you review your systems:

   Intruder Detection Checklist

        This document outlines suggested steps for determining if your
        system has been compromised.

        ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist

   Steps for Recovering from a UNIX Root Compromise

        This document sets out suggested steps for responding to a
        root compromise.

        http://www.cert.org/tech_tips/root_compromise.html

   UNIX Configuration Guidelines

        This document describes common UNIX system configuration
        problems that have been exploited by intruders and recommends
        practices that can be used to help deter several types of
        break-ins.

        ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines

   List of Security Tools

        This document describes tools that can be used to help secure
        a system and deter break-ins.

        ftp://ftp.cert.org/pub/tech_tips/security_tools



What's New and Updated
- ----------------------
Information about new and updated CERT documents, such as advisories,
is available through the CERT web site at

   http://www.cert.org/nav/whatsnew.html

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email   cert@cert.org

Phone   +1 412-268-7090 (24-hour hotline)
               CERT personnel answer 8:30-5:00 p.m. EST
               (GMT-5)/EDT(GMT-4), and are on call for
               emergencies during other hours.

Fax     +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
        comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
        ftp://ftp.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff/legal_stuff.html and
ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access,
send mail to cert@cert.org with "copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNYAnx3VP+x0t4w7BAQH1nQQAiYMz9bJ742vAIJ5wFMZgoa+2LtQdr1lo
ulcin+IFsNPNF4JVqosT06NlVnyWRBZrJ35J4GUktHN8HMXafIT818X59+FAStGE
s4d1QLgL5bg8k0Gb7n/r1pyQoKnhOLmWGEqZFrHfJ2mZOF6zDKG8qHnZJVqpVrnO
riWfaUKp7y4=
=wsY8
-----END PGP SIGNATURE-----

========================FORWARDED TEXT ENDS HERE=============================

The National Institute of Standards and Technology (NIST) has
established a Federal Computer Incident response Capability (FedCIRC)
to assist federal civilians agencies in their incident handling
efforts by providing proactive and reactive computer security related
services.  FedCIRC is a partnership among NIST, the Computer Incident
Advisory Capability (CIAC), and the CERT* Coordination Center
(CERT/CC). 

If you believe that your system has been compromised, please contact
FedCIRC: 

        Telephone:      +1 888 282 0870
        Email:          fedcirc@fedcirc.gov
        Web Server:     http://www.fedcirc.gov/

* Registered in U.S. Patent and Trademark Office
 
The CERT Coordination Center is part of the Software Engineering
Institute.  The Software Engineering Institute is sponsored by the
U.S. Department of Defense.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
 
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.