Date: Tue, 26 Mar 1996 15:09:26 -0500 From: CERT Advisory <cert-advisory@cert.org> To: cert-advisory@cert.org Subject: CERT Summary CS-96.02 Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 --------------------------------------------------------------------------- CERT(sm) Summary CS-96.02 March 26, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our strategic incident response staff. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ --------------------------------------------------------------------------- Recent Activity --------------- In the two months since the last CERT Summary, we have continued to receive reports about the same types of activities that were described in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In addition, we have seen an increase in the number of reports relating to software piracy, many of which involve intruders taking advantage of systems with poorly configured anonymous FTP areas. If you haven't done so already, the CERT staff urges you to immediately take the steps described in the advisories and README files listed below. Note that it is important to check README files, as they can contain updated information that we receive after an advisory is published. The majority of the incidents reported to our incident response staff during the last two months fit into one (or more) of these seven categories: 1. Root compromise on systems that are unpatched or running old OS versions. We receive daily reports of systems that have been compromised by intruders who have gained unauthorized access to root or other privileged accounts by exploiting widely known security vulnerabilities on systems that did not have appropriate patches installed (and/or systems that were running old [unpatched] versions of the operating system). We encourage everyone to check with their vendor(s) regularly for updates or new patches that relate to their systems, and install security-related patches as soon as they are available. For a list of additional suggestions on recovering from a UNIX root compromise, see ftp://info.cert.org/pub/tech_tips/root_compromise 2. Compromised user-level accounts that are leveraged to gain further access. We receive daily reports of compromised accounts that have been used to launch attacks against other sites, and/or have been used to gain privileged access on vulnerable systems. We encourage you to check your systems regularly (in accordance with your site policies and guidelines) for any signs of unauthorized accesses or suspicious activity. For a list of suggestions on how to determine whether your system may have been compromised, see ftp://info.cert.org/pub/tech_tips/security_info 3. Packet sniffers and Trojan horse programs We continue to receive almost daily incident reports about intruders who have installed packet sniffers on root-compromised systems. These sniffers, used to collect account names and passwords, are frequently installed as part of a widely-available kit that also replaces common system files with Trojan horse programs. The Trojan horse binaries (du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders' files and sniffer activity on the system on which they are installed. For further information and methods for detecting packet sniffers and Trojan horse binaries, see the following files: ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/cert_advisories/CA-94:01.README ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums ftp://info.cert.org/pub/cert_advisories/CA-94:05.README 4. IP spoofing attacks We continue to receive several reports each week of IP spoofing attacks. Intruders attack by using automated tools that are becoming widespread on the Internet. Some sites incorrectly believed that they were blocking such spoofed packets, and others planned to block them but hadn't yet done so. For further information on this type of attack and how to prevent it, see ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing ftp://info.cert.org/pub/cert_advisories/CA-95:01.README 5. Software piracy We receive new reports each week about compromised accounts and/or poorly configured anonymous FTP servers that are being used for exchanging pirated software. While the compromised accounts should be addressed as a separate security issue (see item 2, above), the abuse of anonymous FTP areas for software piracy activities can be reduced if the anonymous FTP service is correctly configured and administered. For related information and guidelines for configuring anonymous FTP, see ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity 6. Sendmail attacks We still receive new reports each week about intruders attempting to exploit vulnerabilities in the sendmail program mailer facility. Unfortunately, some of these attacks have been successful against sites that are running old versions of sendmail and/or are not restricting the sendmail program mailer facility. Sendmail's program mailer facility can be restricted by using the sendmail restricted shell program (smrsh). Information on known sendmail vulnerabilities and the smrsh tool can be obtained from ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supple ftp://info.cert.org/pub/cert_advisories/CA-93:16a.README ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-95:05.README ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:08.README ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul ftp://info.cert.org/pub/cert_advisories/CA-95:11.README ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul ftp://info.cert.org/pub/cert_advisories/CA-95:13.README The smrsh program can be obtained from: ftp://info.cert.org/pub/tools/smrsh/ smrsh is also included in the sendmail 8.7.5 distribution. 7. NFS and NIS attacks, and automated tools to scan for vulnerabilities We receive weekly reports of intruders using automated tools to scan sites for hosts that may be vulnerable to NFS and NIS attacks. Intruders are continuing to exploit the rpc.ypupdated vulnerability to gain root access, and intruders are still exploiting widely known vulnerabilities in NFS to gain root access. For related information, see ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul ftp://info.cert.org/pub/cert_advisories/CA-95:17.README ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-94:15.README ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability What's New at the CERT Coordination Center ------------------------------------------ The CERT Coordination Center has a new Web site. It includes information on Internet security and has a link to the CERT FTP archive. http://www.cert.org What's New in the CERT FTP Archive ---------------------------------- We have made the following changes since the last CERT Summary (January 23, 1996). * New Additions ftp://info.cert.org/pub incident_reporting_form v.3 (replaced v.2 with v.3) ftp://info.cert.org/pub/cert_advisories CA-96.01.UDP_service_denial CA-96.02.bind CA-96.03.kerberos_4_key_server CA-96.04.corrupt_info_from_servers CA-96.05.java_applet_security_mgr CA-96.06.cgi_example_code ftp://info.cert.org/pub/cert_bulletins VB-96.01.splitvt VB-96.02.sgi VB-96.03.sun VB-96.04.bsdi ftp://info.cert.org/pub/FIRST conference.info ftp://info.cert.org/pub/tech_tips root_compromise ftp://info.cert.org/pub/tools /cpm/* (replaced older version with v.1.2) /sendmail/sendmail.8.7.5 (replaced older version) /tcp_wrappers/tcp_wrappers_7.3 (replaced older version) /sendmail/smrsh/* (replaced older vsersion with v.8.4) ftp://info.cert.org/pub/vendors /sgi/SGI_contact_info * Updated Files ftp://info.cert.org/pub cert_faq (version 10.2) ftp://info.cert.org/pub/cert_advisories CA-94:01.README (added info about cpm v.1.2) CA-95:13.README (added info from sendmail author and Cray; added info from HP and Sun) CA-95:14.README (added info from NEC Corp and Silicon Graphics) CA-95:17.README (added info from IBM) CA-96.01.README (new URL for Argus; added info from Silicon Graphics) CA-96.02.README (added info from IBM, Solbourne, and Silicon Graphics) CA-96.03.README (added new checksums and patch.readme info; added info from Transarc and TGV Software, Inc.) CA-96.04.README (added info from Silicon Graphics) CA-96.05.README (added pointer to Netscape 2.01) rdist-patch-status (added pointer to version 6.1.2) ftp://info.cert.org/pub/vendors /hp/HP.contact.info --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA URLs: http://www.cert.org/ ftp://info.cert.org/pub/ To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. Frank R. Swift Computer Security Lawrence Livermore National Laboratory Voice (510) 422-1463 Fax (510) 423-0913 uncl@llnl.gov PGP Key fingerprint = 1A 14 02 5A 76 B2 BD 47 C0 3E ED 9A C5 3B 81 2D