CERT Summary CS-96.02

Fence-Walker (uncl@llnl.gov)
Tue, 26 Mar 1996 21:21:57 -0800 

Date: Tue, 26 Mar 1996 15:09:26 -0500
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Summary CS-96.02
Reply-To: cert-advisory-request@cert.org
Organization: CERT(sm) Coordination Center -  +1 412-268-7090

---------------------------------------------------------------------------
CERT(sm) Summary CS-96.02
March 26, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
strategic incident response staff. The summary includes pointers to
sources of information for dealing with the problems. We also list new
or updated files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from 
     ftp://info.cert.org/pub/cert_summaries/
---------------------------------------------------------------------------

Recent Activity 
--------------- 

In the two months since the last CERT Summary, we have continued to
receive reports about the same types of activities that were described
in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In
addition, we have seen an increase in the number of reports relating
to software piracy, many of which involve intruders taking advantage
of systems with poorly configured anonymous FTP areas.

If you haven't done so already, the CERT staff urges you to immediately
take the steps described in the advisories and README files listed below.
Note that it is important to check README files, as they can contain
updated information that we receive after an advisory is published.

The majority of the incidents reported to our incident response staff
during the last two months fit into one (or more) of these seven
categories:

1. Root compromise on systems that are unpatched or running old OS versions.

   We receive daily reports of systems that have been compromised by
   intruders who have gained unauthorized access to root or other
   privileged accounts by exploiting widely known security vulnerabilities
   on systems that did not have appropriate patches installed (and/or
   systems that were running old [unpatched] versions of the operating
   system).

   We encourage everyone to check with their vendor(s) regularly for
   updates or new patches that relate to their systems, and install
   security-related patches as soon as they are available.

   For a list of additional suggestions on recovering from a UNIX root
   compromise, see

 ftp://info.cert.org/pub/tech_tips/root_compromise

2. Compromised user-level accounts that are leveraged to gain further access.

   We receive daily reports of compromised accounts that have been used to
   launch attacks against other sites, and/or have been used to gain
   privileged access on vulnerable systems.

   We encourage you to check your systems regularly (in accordance
   with your site policies and guidelines) for any signs of unauthorized
   accesses or suspicious activity.

   For a list of suggestions on how to determine whether your system may
   have been compromised, see

 ftp://info.cert.org/pub/tech_tips/security_info

3. Packet sniffers and Trojan horse programs

   We continue to receive almost daily incident reports about intruders who
   have installed packet sniffers on root-compromised systems. These
   sniffers, used to collect account names and passwords, are frequently
   installed as part of a widely-available kit that also replaces common
   system files with Trojan horse programs. The Trojan horse binaries
   (du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders'
   files and sniffer activity on the system on which they are installed.

   For further information and methods for detecting packet sniffers and
   Trojan horse binaries, see the following files:

 ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
 ftp://info.cert.org/pub/cert_advisories/CA-94:01.README

 ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums
 ftp://info.cert.org/pub/cert_advisories/CA-94:05.README

4. IP spoofing attacks

   We continue to receive several reports each week of IP spoofing
   attacks. Intruders attack by using automated tools that are becoming
   widespread on the Internet. Some sites incorrectly believed that they
   were blocking such spoofed packets, and others planned to block them but
   hadn't yet done so.

   For further information on this type of attack and how to prevent it,
   see

 ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing
 ftp://info.cert.org/pub/cert_advisories/CA-95:01.README

5. Software piracy

   We receive new reports each week about compromised accounts and/or
   poorly configured anonymous FTP servers that are being used for
   exchanging pirated software. While the compromised accounts should be
   addressed as a separate security issue (see item 2, above), the abuse of
   anonymous FTP areas for software piracy activities can be reduced if the
   anonymous FTP service is correctly configured and administered.

   For related information and guidelines for configuring anonymous FTP,
   see

 ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity

6. Sendmail attacks

   We still receive new reports each week about intruders attempting to
   exploit vulnerabilities in the sendmail program mailer facility.
   Unfortunately, some of these attacks have been successful against sites
   that are running old versions of sendmail and/or are not restricting the
   sendmail program mailer facility. Sendmail's program mailer facility can
   be restricted by using the sendmail restricted shell program (smrsh).

   Information on known sendmail vulnerabilities and the smrsh tool can be
   obtained from

 ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
 ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supple
 ftp://info.cert.org/pub/cert_advisories/CA-93:16a.README

 ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
 ftp://info.cert.org/pub/cert_advisories/CA-95:05.README

 ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
 ftp://info.cert.org/pub/cert_advisories/CA-95:08.README

 ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
 ftp://info.cert.org/pub/cert_advisories/CA-95:11.README

 ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul
 ftp://info.cert.org/pub/cert_advisories/CA-95:13.README

   The smrsh program can be obtained from:

 ftp://info.cert.org/pub/tools/smrsh/

   smrsh is also included in the sendmail 8.7.5 distribution.

7. NFS and NIS attacks, and automated tools to scan for vulnerabilities

   We receive weekly reports of intruders using automated tools to scan
   sites for hosts that may be vulnerable to NFS and NIS attacks.
   Intruders are continuing to exploit the rpc.ypupdated vulnerability to
   gain root access, and intruders are still exploiting widely known
   vulnerabilities in NFS to gain root access.

   For related information, see

 ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul
 ftp://info.cert.org/pub/cert_advisories/CA-95:17.README

 ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities
 ftp://info.cert.org/pub/cert_advisories/CA-94:15.README

 ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability

What's New at the CERT Coordination Center
------------------------------------------

The CERT Coordination Center has a new Web site. It includes
information on Internet security and has a link to the CERT FTP
archive.

 http://www.cert.org

What's New in the CERT FTP Archive
----------------------------------
We have made the following changes since the last CERT Summary (January 23,
1996). 

* New Additions

ftp://info.cert.org/pub

     incident_reporting_form v.3    (replaced v.2 with v.3)

ftp://info.cert.org/pub/cert_advisories

     CA-96.01.UDP_service_denial
     CA-96.02.bind
     CA-96.03.kerberos_4_key_server
     CA-96.04.corrupt_info_from_servers
     CA-96.05.java_applet_security_mgr
     CA-96.06.cgi_example_code

ftp://info.cert.org/pub/cert_bulletins

     VB-96.01.splitvt
     VB-96.02.sgi
     VB-96.03.sun
     VB-96.04.bsdi

ftp://info.cert.org/pub/FIRST

     conference.info

ftp://info.cert.org/pub/tech_tips

     root_compromise     

ftp://info.cert.org/pub/tools

     /cpm/*                         (replaced older version with v.1.2)
     /sendmail/sendmail.8.7.5       (replaced older version)
     /tcp_wrappers/tcp_wrappers_7.3 (replaced older version)
     /sendmail/smrsh/*              (replaced older vsersion with v.8.4)

ftp://info.cert.org/pub/vendors

     /sgi/SGI_contact_info

* Updated Files 

ftp://info.cert.org/pub

     cert_faq            (version 10.2)

ftp://info.cert.org/pub/cert_advisories

     CA-94:01.README     (added info about cpm v.1.2)
     CA-95:13.README     (added info from sendmail author and Cray; added
                          info from HP and Sun)
     CA-95:14.README     (added info from NEC Corp and Silicon Graphics)
     CA-95:17.README     (added info from IBM)
     CA-96.01.README     (new URL for Argus; added info from Silicon Graphics)
     CA-96.02.README     (added info from IBM, Solbourne, and Silicon 
                          Graphics)
     CA-96.03.README     (added new checksums and patch.readme info; added
                          info from Transarc and TGV Software, Inc.)
     CA-96.04.README     (added info from Silicon Graphics)
     CA-96.05.README     (added pointer to Netscape 2.01)
     rdist-patch-status  (added pointer to version 6.1.2)

ftp://info.cert.org/pub/vendors

     /hp/HP.contact.info

---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

URLs:   http://www.cert.org/
        ftp://info.cert.org/pub/

To be added to our mailing list for CERT advisories and bulletins, send your
email address to 
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information. 

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

Frank R. Swift
Computer Security
Lawrence Livermore National Laboratory
Voice (510) 422-1463  Fax (510) 423-0913
uncl@llnl.gov

PGP Key fingerprint = 1A 14 02 5A 76 B2 BD 47  C0 3E ED 9A C5 3B 81 2D