FedCIRC Advisory FA-98-95

December 14, 1998

To aid in the wide distribution of essential security information, FedCIRC is forwarding the following information from CERT/CC summary CS-98.08. FedCIRC urges you to act on this information as soon as possible.

If you have any questions, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov

The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our incident response team, as well as to other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems.

Past CERT Summaries are available from

Recent Activity

Since the last CERT Summary, issued in August 1998 (CS-98.07), we have seen these trends in incidents reported to us.

  1. Vulnerability in mountd

    We have seen many reports of this vulnerability being exploited on NFS servers running certain implementations of mountd, primarily Linux. On some systems, the vulnerable NFS server is enabled by default. This vulnerability can be exploited even if the NFS server does not export any file systems. Intruders who are able to exploit the vulnerability can do it remotely and can gain administrative access. We encourage you to review CERT Advisory CA-98.12, which describes the mountd vulnerability in more detail. The advisory is available from

    http://www.cert.org/advisories/CA-98.12.mountd.html

  2. Spread of Windows-Based Trojan Horse Programs

    In recent months, we have seen the spread of Windows-based Trojan horse programs. The most frequently reported incidents involving Windows-based Trojan horse programs involve the tools Back Orifice and NetBus.

    We receive occasional reports of compromised machines that have one of these tools installed; however, the majority of reports involving these tools are from sites noticing intruders scanning their networks for the presence of these tools. We receive daily reports indicating that intruders are actively scanning networks to find running instances of these tools on already compromised machines.

    Look for the following symptoms to detect those scans:

    NetBus - connection request (SYN) packets to TCP port 12345
    Back Orifice - UDP packets to port 31337

    Keep in mind that these tools can be configured to listen on different ports. Because of this, we encourage you to investigate any unexplained network traffic.

    Because these tools are Trojan horses, users must install them or be tricked into installing them. To impede the proliferation of this class of tools, we encourage system administrators to educate their users about safe computing practices (e.g., only install software from trusted sources, and use virus scanning software on any newly introduced software).

    For more information about Back Orifice, we encourage you to review CERT Vulnerability Note VN-98.07.

    http://www.cert.org/vul_notes/VN-98.07.backorifice.html

  3. Widespread Scans

    We continue to receive numerous daily reports of intruders using tools to scan networks for multiple vulnerabilities. On July 2, we published an incident note detailing this activity. This document is available at

    http://www.cert.org/incident_notes/IN-98.02.html

    Since July 2 these tools have become a bit more sophisticated. Variants of the "mscan" tool now probe for the most recent vulnerabilities including

    http://www.cert.org/advisories/CA-98.12.mountd.html

    Additionally, these tools incorporate the ability to identify a machine's architecture and operating system.

  4. Scripted Tools

    Very recently, we have received a few reports indicating that intruders are executing widespread attacks using scripted tools to control various information-gathering and exploitation tools. The combination of functionality used by the scripted tools enables intruders to automate the process of identifying and exploiting known vulnerabilities in specific host platforms. This information is available at

    http://www.cert.org/incident_notes/IN-98-06.html

  5. Stealth Scanning Techniques

    We have received a few reports indicating that intruders are using stealth scanning techniques. Stealth scanning is used by intruders to avoid detection. Details about stealth scanning techniques are available at

    http://www.cert.org/incident_notes/IN-98.04.html



    What's New and Updated

    Since the last CERT Summary, we have developed new and updated If you are interested in any of these, please see our What's New web page for descriptions and links:

    http://www.cert.org/nav/whatsnew.html

    This document is available from: http://www2.fedcirc.gov/alerts/advisories/1998/FA-98-95.html

    FedCIRC Contact Information

    Email: fedcirc@fedcirc.gov
    Phone: +1 888-282-0870 (24-hour toll-free hotline)
    Phone: +1 412-268-6321 (24-hour hotline)
    Fax: +1 412-268-6989
    Postal address:
    FedCIRC CERT Coordination Center
    Software Engineering Institute
    Carnegie Mellon University
    Pittsburgh PA 15213-3890
    U.S.A.
    FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

    Using encryption

    We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www2.fedcirc.gov/keys.html. If you prefer to use DES, please call the FedCIRC hotline for more information.

    Getting security information

    FedCIRC publications and other security information are available from our web site http://www.fedcirc.gov/.

    FedCIRC (Federal Computer Incident Response Capability) is operated by the CERT/CC for the U.S. General Services Administration. FedCIRC provides security services to U.S. Federal civilian agencies.

    Copyright 1998 Carnegie Mellon University.
    Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html.

    * CERT is registered in the U.S. Patent and Trademark Office

    NO WARRANTY
    Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.