DataSure Services CERT(SM) Summary 99.01

CERT (sm) Summary CS-99-01

DataSure's CERT Advisory Pages
CERT advisory CA-99-01 Melissa Macro Virus

-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-99-01 February 23, 1999

The CERT Coordination Center periodically issues the CERT summary to draw attention to the types of attacks currently being reported to our incident response team, as well as to other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems.

Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________

Recent Activity

Since the last CERT summary, issued in December 1998 (CS-98.08), we have seen these trends in incidents reported to us.

1. Widespread Scans We continue to receive numerous daily reports of intruders using tools to scan networks for multiple vulnerabilities. Intruder scanning tools continue to become more sophisticated. On January 28, 1999, we published an incident note describing a new scanning tool that searches for multiple known vulnerabilities on remote systems. The tool incorporates probes for known vulnerabilities, remote operating system identification, and a scripting language that simplifies automation of probes and exploitation attempts.
For more information, see our incident note at http://www.cert.org/incident_notes/IN-99-01.html
Reports also indicate that scanning techniques addressed in previous CERT incident notes, such as scripted tools and stealth scanning, are still being employed by intruders.
For more information, see

+ http://www.cert.org/incident_notes/IN-98-06.html
+ http://www.cert.org/incident_notes/IN-98-05.html
+ http://www.cert.org/incident_notes/IN-98.04.html
+ http://www.cert.org/incident_notes/IN-98.02.html
The daily reports of widespread scans and exploitation attempts involve many vulnerabilities; however, the most frequent reports involve activity with well-known vulnerabilities in "mountd", "imap", and "pop3" services for which CERT advisories have been published. These services are installed and enabled by default in some operating systems. The scans and exploitation attempts still result in sites being compromised.

See the following advisories for more information:
+ sunrpc (tcp port 111) and mountd (635) http://www.cert.org/advisories/CA-98.12.mountd.html
+ imap (tcp port 143) http://www.cert.org/advisories/CA-98.09.imapd.html
+ pop3 (tcp port 110) http://www.cert.org/advisories/CA-98.08.qpopper_vul.html

We encourage you to make sure that all systems at your site are up to date with patches and that your machines are properly secured.

2. Back Orifice and NetBus We continue to receive daily reports of incidents involving Windows-based "remote administration" programs such as Back Orifice and NetBus. Occasionally these are reports of compromised machines that have one of these tools installed. However, the majority of these reports involve sites that have detected intruders scanning for the presence of these tools. These scans may appear as unauthorized traffic as follows:

+ NetBus - connection requests (SYN) packets to TCP ports 12345, 12346, or 20034

+ Back Orifice - UDP packets to port 31337 Keep in mind that these tools can be configured to listen on different ports. Because of this, we encourage you to investigate any unexplained network traffic. For more information about Back Orifice, review
CERT vulnerability note VN-98.07: http://www.cert.org/vul_notes/VN-98.07.backorifice.html

3. Trojan Horse Programs Over the past few months, we have seen an increase in the number of incident reports related to Trojan horse programs affecting both Windows and UNIX platforms.
+ CERT advisory CA-99-02 includes descriptions of several recent incidents involving Trojan horse programs, including a false upgrade to Internet Explorer, a Trojan horse version of TCP Wrappers, and a Trojan horse version of util-linux. The advisory also provides advice for system and network administrators, end users, software developers, and distributors. The advisory is available from http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
+ CERT advisory CA-99-01, discusses the Trojan horse version of TCP Wrappers in greater detail, and provides information on how to verify the integrity of your TCP Wrappers distribution. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html

4. FTP Buffer Overflows Very recently, we have received a few reports of intruders scanning for and exploiting a remote buffer overflow vulnerability in various FTP servers. By supplying carefully designed commands to the FTP server, intruders can force the server to execute arbitrary commands with root privilege. Intruders can exploit the vulnerability remotely to gain administrative access. We encourage you to review text provided by Netect, Inc. in CERT advisory CA-99-03, which describes the ftpd vulnerability in more detail. The advisory is available from http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html __________________________________________________________________

What's New and Updated Since the last CERT summary, we have developed new and updated + Advisories + Incident notes + Security improvement modules + Technical reports + The CERT/CC 1998 Annual Report + Computer Security Incident Response Team (CSIRT) Handbook + Incident response courses There are descriptions of these documents and links to them on our What's New web page at http://www.cert.org/nav/whatsnew.html __________________________________________________________________

This document is available from: http://www.cert.org/summaries/CS-99-01.html.

______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information.

Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office

______________________________________________________________________

NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Thanks for investing your time to visit our web site. We value your interest and input. This page was last updated Thursday, 15-Nov-2001 17:01:59 PST
This page, and all contents, are Copyright © 1994 -1999, all rights reserved by DataSure Services
DATASURE SERVICES
email: mackinnn@datasure.com,
phone: 1-800-598-6831, or +1 (250) 598-6831,
fax: +1 (250) 598-6841 Local time is Wednesday, 19-Nov-2008 15:24:45 PST
post: P.O. Box 42016, 2200 Oak Bay Avenue
. . . . . . Victoria, BC CANADA V8R 6T4
comprehensive protection for a universe of data . . .

home frames français español client services y2k