WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 24-02-2001 ]
Category
[ Information Technologies ]
sub-Categoy
[ Computers ]
      [http://cert.ip-plus.net/bulletin-archive/msg00108.html

      [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

      CERT Summary CS-99-01

      -----BEGIN PGP SIGNED MESSAGE-----

      CERT Summary CS-99-01

      February 23, 1999

      The CERT Coordination Center periodically issues the CERT summary to
      draw attention to the types of attacks currently being reported to our
      incident response team, as well as to other noteworthy incident and
      vulnerability information. The summary includes pointers to sources of
      information for dealing with the problems.

      Past CERT summaries are available from

      http://www.cert.org/summaries/
      ______________________________________________________________________

      Recent Activity

      Since the last       CERT summary, issued in December 1998 (CS-98.08), we
      have seen these trends in incidents reported to us.

      1. Widespread Scans

      We continue to receive numerous daily reports of intruders using
      tools to scan networks for multiple vulnerabilities. Intruder
      scanning tools continue to become more sophisticated.
      On January 28, 1999, we published an incident note describing a
      new scanning tool that searches for multiple known vulnerabilities
      on remote systems. The tool incorporates probes for known
      vulnerabilities, remote operating system identification, and a
      scripting language that simplifies automation of probes and
      exploitation attempts. For more information, see our incident note
      at
      http://www.cert.org/incident_notes/IN-99-01.html

      Reports also indicate that scanning techniques addressed in
      previous CERT incident notes, such as scripted tools and stealth
      scanning, are still being employed by intruders. For more
      information, see

      +       http://www.cert.org/incident_notes/IN-98-06.html
      +       http://www.cert.org/incident_notes/IN-98-05.html
      +       http://www.cert.org/incident_notes/IN-98.04.html
      +       http://www.cert.org/incident_notes/IN-98.02.html

      The daily reports of widespread scans and exploitation attempts
      involve many vulnerabilities; however, the most frequent reports
      involve activity with well-known vulnerabilities in "mountd",
      "imap", and "pop3" services for which CERT advisories have been
      published. These services are installed and enabled by default in
      some operating systems. The scans and exploitation attempts still
      result in sites being compromised. See the following advisories
      for more information:

      + sunrpc (tcp port 111) and mountd (635)
      http://www.cert.org/advisories/CA-98.12.mountd.html
      + imap (tcp port 143)
      http://www.cert.org/advisories/CA-98.09.imapd.html
      + pop3 (tcp port 110)
      http://www.cert.org/advisories/CA-98.08.qpopper_vul.html

      We encourage you to make sure that all systems at your site are up
      to date with patches and that your machines are properly secured.

      2. Back Orifice and NetBus

      We continue to receive daily reports of incidents involving
      Windows-based "remote administration" programs such as Back Orifice and
      NetBus. Occasionally these are reports of compromised machines that
      have one of these tools installed. However, the majority of these
      reports involve sites that have detected intruders scanning for the
      presence of these tools. These scans may appear as unauthorized traffic
      as follows:

      + NetBus - connection requests (SYN) packets to TCP ports
      12345, 12346, or 20034
      + Back Orifice - UDP packets to port 31337

      Keep in mind that these tools can be configured to listen on
      different ports. Because of this, we encourage you to investigate
      any unexplained network traffic.
      For more information about Back Orifice, review CERT vulnerability
      note VN-98.07:

      http://www.cert.org/vul_notes/VN-98.07.backorifice.html

      3. Trojan Horse Programs

      Over the past few months, we have seen an increase in the number
      of incident reports related to Trojan horse programs affecting
      both Windows and UNIX platforms.

      + CERT advisory CA-99-02 includes descriptions of several
      recent incidents involving Trojan horse programs, including a
      false upgrade to Internet Explorer, a Trojan horse version of
      TCP Wrappers, and a Trojan horse version of util-linux. The
      advisory also provides advice for system and network
      administrators, end users, software developers, and
      distributors. The advisory is available from

      http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html

      + CERT advisory CA-99-01, discusses the Trojan horse version of
      TCP Wrappers in greater detail, and provides information on
      how to verify the integrity of your TCP Wrappers
      distribution.

      http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html

      4. FTP Buffer Overflows

      Very recently, we have received a few reports of intruders
      scanning for and exploiting a remote buffer overflow vulnerability
      in various FTP servers. By supplying carefully designed commands
      to the FTP server, intruders can force the server to execute
      arbitrary commands with root privilege. Intruders can exploit the
      vulnerability remotely to gain administrative access. We encourage
      you to review text provided by Netect, Inc. in CERT advisory
      CA-99-03, which describes the ftpd vulnerability in more detail.
      The advisory is available from

      http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html

      __________________________________________________________________

      What's New and Updated

      Since the last CERT summary, we have developed new and updated

      + Advisories
      + Incident notes
      + Security improvement modules
      + Technical reports
      + The CERT/CC 1998 Annual Report
      + Computer Security Incident Response Team (CSIRT) Handbook
      + Incident response courses

      There are descriptions of these documents and links to them on our
      What's New web page at

      http://www.cert.org/nav/whatsnew.html
      __________________________________________________________________

      This document is available from:

      http://www.cert.org/summaries/CS-99-01.html.
      __________________________________________________________________

      CERT/CC Contact Information

      Email: cert@cert.org
      Phone: +1 412-268-7090 (24-hour hotline)
      Fax: +1 412-268-6989
      Postal address:
      CERT Coordination Center
      Software Engineering Institute
      Carnegie Mellon University
      Pittsburgh PA 15213-3890
      U.S.A.

      CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
      EDT(GMT-4) Monday through Friday; they are on call for emergencies
      during other hours, on U.S. holidays, and on weekends.

      Using encryption

      We strongly urge you to encrypt sensitive information sent by
      email. Our public PGP key is available from
      http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call
      the CERT hotline for more information.

      Getting security information

      CERT publications and other security information are available from our
      web site       http://www.cert.org/. To be added to our mailing list for
      advisories and bulletins, send email to cert-advisory-request@cert.org
      and include SUBSCRIBE your-email-address in the subject of your
      message.

      Copyright 1999 Carnegie Mellon University.

      Conditions for use, disclaimers, and sponsorship information can
      be found in       http://www.cert.org/legal_stuff.html.

      * "CERT" and "CERT Coordination Center" are registered in the U.S.
      Patent and Trademark Office
      __________________________________________________________________

      NO WARRANTY
      Any material furnished by Carnegie Mellon University and the
      Software Engineering Institute is furnished on an "as is" basis.
      Carnegie Mellon University makes no warranties of any kind, either
      expressed or implied as to any matter including, but not limited
      to, warranty of fitness for a particular purpose or
      merchantability, exclusivity or results obtained from use of the
      material. Carnegie Mellon University does not make any warranty of
      any kind with respect to freedom from patent, trademark, or
      copyright infringement.

      - --
      - ---------------------------------------------------------------------
      | |
      | <_~ | | | <_~ <_~ /~ /~\ |\/| Peter Haag |
      | ,_> |/\| | ,_> ,_> \_, \_/ | | peter@ip-plus.net |
      | peter@unisource.ch |
      | IP - Plus Internet |
      | Tel. +41 (0)1 445 19 45 |
      | FAX. +41 (0)1 445 19 50 |
      | PGP public key |
      |       http://www-swiss.ai.mit.edu/~bal/pks-commands.html#extract |
      - ---------------------------------------------------------------------

      -----BEGIN PGP SIGNATURE-----
      Version: 2.6.3ia
      Charset: latin1

      iQCVAwUBNtOrxd1nGS+PYvZVAQHYmwP/bv4pKN9NS6GFZ+Xw4u0NYpq5Hd4sQzw7
      CwfrCiRUTZ6TWWPNIYNlFMnelJwnfqe3a+NH5+bWlEaiYA3Kv/7Edsx8gKxRCVp2
      jlVRCRbgYx40qWdUD0eiy/WserMl293Pqo9hi7iNLDXlO6WWPX7vExVrCOCmyosX
      icZnOjSRnWQ=
      =2+zY
      -----END PGP SIGNATURE-----
      Home | Main Index | Thread Index ]
      Cross-Indexed:

      New document Icon


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)