CERT Summary CS-96.02
CERT Advisory
---------------------------------------------------------------------------
CERT(sm) Summary CS-96.02
March 26, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
strategic incident response staff. The summary includes pointers to
sources of information for dealing with the problems. We also list new
or updated files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
---------------------------------------------------------------------------
Recent Activity
---------------
In the two months since the last CERT Summary, we have continued to
receive reports about the same types of activities that were described
in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In
addition, we have seen an increase in the number of reports relating
to software piracy, many of which involve intruders taking advantage
of systems with poorly configured anonymous FTP areas.
If you haven't done so already, the CERT staff urges you to immediately
take the steps described in the advisories and README files listed below.
Note that it is important to check README files, as they can contain
updated information that we receive after an advisory is published.
The majority of the incidents reported to our incident response staff
during the last two months fit into one (or more) of these seven
categories:
1. Root compromise on systems that are unpatched or running old OS versions.
We receive daily reports of systems that have been compromised by
intruders who have gained unauthorized access to root or other
privileged accounts by exploiting widely known security vulnerabilities
on systems that did not have appropriate patches installed (and/or
systems that were running old [unpatched] versions of the operating
system).
We encourage everyone to check with their vendor(s) regularly for
updates or new patches that relate to their systems, and install
security-related patches as soon as they are available.
For a list of additional suggestions on recovering from a UNIX root
compromise, see
ftp://info.cert.org/pub/tech_tips/root_compromise
2. Compromised user-level accounts that are leveraged to gain further access.
We receive daily reports of compromised accounts that have been used to
launch attacks against other sites, and/or have been used to gain
privileged access on vulnerable systems.
We encourage you to check your systems regularly (in accordance
with your site policies and guidelines) for any signs of unauthorized
accesses or suspicious activity.
For a list of suggestions on how to determine whether your system may
have been compromised, see
ftp://info.cert.org/pub/tech_tips/security_info
3. Packet sniffers and Trojan horse programs
We continue to receive almost daily incident reports about intruders who
have installed packet sniffers on root-compromised systems. These
sniffers, used to collect account names and passwords, are frequently
installed as part of a widely-available kit that also replaces common
system files with Trojan horse programs. The Trojan horse binaries
(du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders'
files and sniffer activity on the system on which they are installed.
For further information and methods for detecting packet sniffers and
Trojan horse binaries, see the following files:
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/cert_advisories/CA-94:01.README
ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums
ftp://info.cert.org/pub/cert_advisories/CA-94:05.README
4. IP spoofing attacks
We continue to receive several reports each week of IP spoofing
attacks. Intruders attack by using automated tools that are becoming
widespread on the Internet. Some sites incorrectly believed that they
were blocking such spoofed packets, and others planned to block them but
hadn't yet done so.
For further information on this type of attack and how to prevent it,
see
ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing
ftp://info.cert.org/pub/cert_advisories/CA-95:01.README
5. Software piracy
We receive new reports each week about compromised accounts and/or
poorly configured anonymous FTP servers that are being used for
exchanging pirated software. While the compromised accounts should be
addressed as a separate security issue (see item 2, above), the abuse of
anonymous FTP areas for software piracy activities can be reduced if the
anonymous FTP service is correctly configured and administered.
For related information and guidelines for configuring anonymous FTP,
see
ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity
6. Sendmail attacks
We still receive new reports each week about intruders attempting to
exploit vulnerabilities in the sendmail program mailer facility.
Unfortunately, some of these attacks have been successful against sites
that are running old versions of sendmail and/or are not restricting the
sendmail program mailer facility. Sendmail's program mailer facility can
be restricted by using the sendmail restricted shell program (smrsh).
Information on known sendmail vulnerabilities and the smrsh tool can be
obtained from
ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement
ftp://info.cert.org/pub/cert_advisories/CA-93:16a.README
ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
ftp://info.cert.org/pub/cert_advisories/CA-95:05.README
ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-95:08.README
ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
ftp://info.cert.org/pub/cert_advisories/CA-95:11.README
ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul
ftp://info.cert.org/pub/cert_advisories/CA-95:13.README
The smrsh program can be obtained from:
ftp://info.cert.org/pub/tools/smrsh/
smrsh is also included in the sendmail 8.7.5 distribution.
7. NFS and NIS attacks, and automated tools to scan for vulnerabilities
We receive weekly reports of intruders using automated tools to scan
sites for hosts that may be vulnerable to NFS and NIS attacks.
Intruders are continuing to exploit the rpc.ypupdated vulnerability to
gain root access, and intruders are still exploiting widely known
vulnerabilities in NFS to gain root access.
For related information, see
ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul
ftp://info.cert.org/pub/cert_advisories/CA-95:17.README
ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities
ftp://info.cert.org/pub/cert_advisories/CA-94:15.README
ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability
What's New at the CERT Coordination Center
------------------------------------------
The CERT Coordination Center has a new Web site. It includes
information on Internet security and has a link to the CERT FTP
archive.
What's New in the CERT FTP Archive
----------------------------------
We have made the following changes since the last CERT Summary (January 23,
1996).
* New Additions
incident_reporting_form v.3 (replaced v.2 with v.3)
ftp://info.cert.org/pub/cert_advisories
CA-96.01.UDP_service_denial
CA-96.02.bind
CA-96.03.kerberos_4_key_server
CA-96.04.corrupt_info_from_servers
CA-96.05.java_applet_security_mgr
CA-96.06.cgi_example_code
ftp://info.cert.org/pub/cert_bulletins
VB-96.01.splitvt
VB-96.02.sgi
VB-96.03.sun
VB-96.04.bsdi
ftp://info.cert.org/pub/tech_tips
root_compromise
/cpm/* (replaced older version with v.1.2)
/sendmail/sendmail.8.7.5 (replaced older version)
/tcp_wrappers/tcp_wrappers_7.3 (replaced older version)
/sendmail/smrsh/* (replaced older vsersion with v.8.4)
ftp://info.cert.org/pub/vendors
/sgi/SGI_contact_info
* Updated Files
cert_faq (version 10.2)
ftp://info.cert.org/pub/cert_advisories
CA-94:01.README (added info about cpm v.1.2)
CA-95:13.README (added info from sendmail author and Cray; added
info from HP and Sun)
CA-95:14.README (added info from NEC Corp and Silicon Graphics)
CA-95:17.README (added info from IBM)
CA-96.01.README (new URL for Argus; added info from Silicon Graphics)
CA-96.02.README (added info from IBM, Solbourne, and Silicon
Graphics)
CA-96.03.README (added new checksums and patch.readme info; added
info from Transarc and TGV Software, Inc.)
CA-96.04.README (added info from Silicon Graphics)
CA-96.05.README (added pointer to Netscape 2.01)
rdist-patch-status (added pointer to version 6.1.2)
ftp://info.cert.org/pub/vendors
/hp/HP.contact.info
---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email ce...@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
URLs: http://www.cert.org/
ftp://info.cert.org/pub/
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advis...@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.