Home page logo
/

bugtraq logo Bugtraq mailing list archives

CERT Summary CS-98.06
From: prj () NLS NET (Phillip R. Jaenke)
Date: Thu, 11 Jun 1998 19:16:06 -0400


-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT* Summary CS-98.06
June 11, 1998

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
incident response team. The summary includes pointers to sources of
information for dealing with the problems.

Past CERT Summaries are available from
        http://www.cert.org/summaries/
        ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity
- ---------------
Since the last regularly scheduled CERT Summary issued in March 1998
(CS-98.03), we have seen these trends in incidents reported to us.

1. Multiple Vulnerabilities in BIND

   In two previous special edition CERT Summaries, CS-98.04 and CS-98.05, we
   discussed several attack methods being used to exploit
   vulnerabilities in BIND. CS-98.04 and CS-98.05 are available from

        http://www.cert.org/summaries/CS-98.04.html
        http://www.cert.org/summaries/CS-98.05.html

   We have observed several changes to the methods of attack used to
   exploit the BIND vulnerabilities. Exploitation of these
   vulnerabilities might allow a remote intruder to gain privileged
   (root) access on your domain name server or to disrupt normal
   operation of your domain name server.

   Although the methods of attack are being modified, these attacks
   are still exploiting vulnerabilities described in CERT advisory
   CA-98.05. We encourage you to review this advisory, which describes
   the BIND buffer overflow vulnerability, and to apply the
   appropriate patches if you have not done so already. The advisory
   is available at

        http://www.cert.org/advisories/CA-98.05.bind_problems.html


2. Scans to Port 1/tcpmux and unpassworded SGI accounts

   Over the past month we have received reports of widespread scans to
   TCP port 1. The service assigned to TCP port 1 is tcpmux. For more
   information, see RFC#1078, which is available at

        ftp://ftp.isi.edu/in-notes/rfc1078.txt

   We know that some of the scans originated from sites that had root
   compromises. From a site that was used to launch these scans, we
   were able to obtain files that indicate that the intruder was
   scanning for IRIX machines.

   By default, IRIX systems have tcpmux enabled. Once the intruder
   found a number of machines with a service running on port 1/tcpmux,
   the intruder then used another automated tool to telnet to each of
   these machines and attempt to log in as guest, lp, and demos.

   We have been in communication with SGI about this issue. At this
   time there does not appear to be any vulnerability in the SGI
   implementation of tcpmux or any service provided through tcpmux.

   IRIX Root Compromises

   In addition to the above incidents, we have noticed an increase in
   the number of reports of IRIX root compromises over the past
   month. We have also received numerous independent reports of
   widespread failed login attempts to lp, guest, demos, OutOfBox, and
   EZsetup accounts.

   IRIX machines ship by default with unpassworded accounts. As of
   IRIX 6.3 there is a security tool to easily disable or add
   passwords to these accounts at installation time. Please refer to
   the following advisories for more information about this issue:

        ftp://sgigate.sgi.com/security/19951002-01-I
        http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html

   We strongly encourage you to ensure that the full set of security
   patches for each of your systems is applied. This is a major step
   in defending your systems from attack; its importance cannot be
   overstated.

   We encourage you to check with your vendor regularly for any
   updates or new patches that relate to your systems. We also
   encourage you to ensure that you are up to date with patches and
   workarounds referenced in CERT advisories.

   IRIX patches are available from

        http://www.sgi.com/Support/security/security.html

   If your IRIX machine has unpassworded accounts, then in addition to
   disabling (or adding password protection to) accounts which do not
   have passwords, we encourage you to inspect your system for signs
   of intrusion. For instructions on how to do this, please refer to
   the "Recovering from an Incident" web page, available from

        http://www.cert.org/nav/recovering.html


3. Root Compromises

   We continue to receive daily reports of sites that have suffered a
   root compromise. Many of these compromises can be traced to systems
   that are unpatched or misconfigured, which the intruders exploit
   using well-known vulnerabilities for which CERT advisories have
   been published.

   We encourage you to check for signs of compromise. The following
   documents can help you review your systems:

   Intruder Detection Checklist

        This document outlines suggested steps for determining if your
        system has been compromised.

        ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist

   Steps for Recovering from a UNIX Root Compromise

        This document sets out suggested steps for responding to a
        root compromise.

        http://www.cert.org/tech_tips/root_compromise.html

   UNIX Configuration Guidelines

        This document describes common UNIX system configuration
        problems that have been exploited by intruders and recommends
        practices that can be used to help deter several types of
        break-ins.

        ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines

   List of Security Tools

        This document describes tools that can be used to help secure
        a system and deter break-ins.

        ftp://ftp.cert.org/pub/tech_tips/security_tools



What's New and Updated
- ----------------------
Information about new and updated CERT documents, such as advisories,
is available through the CERT web site at

   http://www.cert.org/nav/whatsnew.html

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email   cert () cert org

Phone   +1 412-268-7090 (24-hour hotline)
               CERT personnel answer 8:30-5:00 p.m. EST
               (GMT-5)/EDT(GMT-4), and are on call for
               emergencies during other hours.

Fax     +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request () cert org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
        comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
        ftp://ftp.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff/legal_stuff.html and
ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access,
send mail to cert () cert org with "copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNYAnx3VP+x0t4w7BAQH1nQQAiYMz9bJ742vAIJ5wFMZgoa+2LtQdr1lo
ulcin+IFsNPNF4JVqosT06NlVnyWRBZrJ35J4GUktHN8HMXafIT818X59+FAStGE
s4d1QLgL5bg8k0Gb7n/r1pyQoKnhOLmWGEqZFrHfJ2mZOF6zDKG8qHnZJVqpVrnO
riWfaUKp7y4=
=wsY8
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault