-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Summary CS-99-04 November 23, 1999 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________ Reminder: New CERT/CC PGP Key On October 4, 1999, the PGP key for the CERT/CC was replaced with a new PGP key. For more information, see http://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ "CERT/CC Current Activity" Web Page The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. It is available from http://www.cert.org/current/current_activity.html The information on the Current Activity page will be reviewed and updated as reporting trends change. ______________________________________________________________________ Year 2000 (Y2K) Information The CERT/CC has published information regarding the Y2K problem: Y2K Information http://www.cert.org/y2k-info/ ______________________________________________________________________ Recent Activity Since the last CERT summary, issued in August 1999 (CS-99-03), we have published advisories on WU-FTPD, BIND, CDE, and AMD. We have also analyzed and published information regarding distributed intruder tools. Among other activity, we continue to see widespread scans for known vulnerabilities. 1. Distributed Intruder Tools Denial of Service We have received reports of intruders compromising machines in order to install distributed systems used for launching packet flooding denial-of-service attacks. The systems typically contain a small number of servers and a large number of clients. These reports indicate that machines participating in such distributed systems are likely to have been root compromised. You can find more information in CERT Incident Note 99-07 http://www.cert.org/incident_notes/IN-99-07.html Sniffer We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. As of this summary, the sniffer clients have been found exclusively on compromised Linux hosts. For more information please see CERT Incident Note 99-06 http://www.cert.org/incident_notes/IN-99-06.html 2. CDE Vulnerabilities Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE). These vulnerabilities are different from those discussed in CA-98.02 and can lead to intruders gaining root access on vulnerable systems. For more information please see CERT Advisory CA-99-11 http://www.cert.org/advisories/CA-99-1-CDE.html 3. BIND Vulnerabilities Several vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers. The others can severely disrupt the operation of the name server. For more information, please see CERT Advisory CA-99-14 http://www.cert.org/advisories/CA-99-14-bind.html 4. WU-FTPD Vulnerabilities Three vulnerabilities have been identified in WU-FTPD and other ftp daemons based on the WU-FTPD source code. WU-FTPD is a common package used to provide File Transfer Protocol (FTP) services. Remote and local intruders may be able to exploit these vulnerabilities to execute arbitrary code as the user running the ftp daemon (usually root). Incidents involving the first of these three vulnerabilities have been reported to the CERT Coordination Center. For more information please see CERT Advisory CA-99-13 http://www.cert.org/advisories/CA-99-13-wuftpd.html 5. AMD Vulnerabilities There is a buffer overflow vulnerability in the logging facility of the amd daemon. This daemon automatically mounts file systems in response to attempts to access files that reside on those file systems. Remote intruders can exploit this vulnerability to execute arbitrary code as the user running the amd daemon (usually root). For more information see CERT Advisory CA-99-12 http://www.cert.org/advisories/CA-99-12-amd.html We have received reports regarding exploits of this vulnerability. For more information please see CERT Incident Note 99-05 http://www.cert.org/incident_notes/IN-99-05.html 6. RPC Vulnerabilities We continue to receive reports of exploitations involving three RPC vulnerabilities: rpc.cmsd, ttdbserverd, and statd/automountd. These exploitations can lead to root compromise on systems that implement vulnerable RPC services. Analysis has shown that similar artifacts have been found on compromised systems. For more information on the vulnerabilities please see CERT Incident Note 99-04 http://www.cert.org/incident_notes/IN-99-04.html CERT Advisory CA-99-08 http://www.cert.org/advisories/CA-99-08-cmsd.html CERT Advisory CA-99-05 http://www.cert.org/advisories/CA-99-05-statd-automountd.html CERT Advisory CA-98-11 http://www.cert.org/advisories/CA-98.11.tooltalk.html 7. Virus and Trojan Horse Activity We continue to see reports of virus activity. Current versions of anti-virus software can help to protect your systems from these viruses. It is important to take great caution with any email or Usenet attachments that contain executable content. If you receive a message containing attachments, scan the message file with anti-virus software before you open or run the file. Doing this does not guarantee that the contents of the file are safe, but it lowers your risk of virus infection by checking for viruses and Trojan horses that your scanning software can detect. CERT/CC has published a Virus Resources page that includes information on Frequently Asked Questions (FAQs) about Computer Viruses Hoax and Chain Letter Databases Virus Databases Virus Organizations and Publications Anti-Virus Vendors Virus Related Papers Please see Virus Resources http://www.cert.org/other_sources/viruses.html 8. Continued Widespread Scans We continue to receive reports of scanning and probing activity. The most frequent reports tend to involve services that have well-known vulnerabilities. Hosts continue to be affected by exploitation of well-known vulnerabilities in these services. sunrpc (TCP port 111) and mountd (635) http://www.cert.org/advisories/CA-98.12.mountd.html http://www.cert.org/incident_notes/IN-99-04.html IMAP (TCP port 143) http://www.cert.org/advisories/CA-98.09.imapd.html POP3 (TCP port 110) http://www.cert.org/advisories/CA-98.08.qpopper_vul.html DNS (TCP port 53 [domain]) http://www.cert.org/advisories/CA-98.05.bind_problems.html http://www.cert.org/advisories/CA-97.22.bind.html ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have developed new and updated * Advisories * CERT statistics * Incident notes * Tech tips/FAQs * Y2K information There are descriptions of these documents and links to them on our "What's New" web page at http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-99-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA+AwUBODsBglr9kb5qlZHQEQIvZACbBrc75HYvuxT/JZDa778JBH3eWcAAlR1S AFgkAYyLg3U8XXq5dhCRR0g= =Oqqs -----END PGP SIGNATURE-----