North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

CERT Summary CS-95:03

  • From: CERT Advisory
  • Date: Tue Nov 28 11:08:29 1995

CERT Summary CS-95:03
November 28, 1995

The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response staff. The summary includes pointers to sources of information for
dealing with the problems. We also list new or updated files that are
available for anonymous FTP from

Past CERT Summaries are available from

Recent Activity 

Since the September CERT Summary, we have seen these continuing trends in
incidents reported to us. The majority of reported incidents fit into four

1. Packet Sniffers

We continue to see daily incident reports about intruders who have installed
sniffers on compromised systems. These sniffers, used to collect account names
and passwords, are frequently installed with a kit that includes Trojan horse
binaries. The Trojan horse binaries hide the sniffer activity on the systems
on which they are installed.

For further information and methods for detecting packet sniffers and Trojan
horses, see the following files:

2. Exploitation of SGI lp Vulnerability 

The vulnerability described in CERT advisory, CA:95:15 "SGI lp Vulnerability"
continues to be exploited, though we have seen a decline in the number of
reports since the advisory was released on November 8. Intruders gain
unauthorized access to Silicon Graphics, Inc. (SGI) IRIX systems through a
passwordless lp account; they use this initial access to leverage additional
privileges on the compromised system.

As distributed by SGI, the lp account (as well as other accounts), has no
password on a newly installed system. This fact is addressed in the
documentation that SGI distributes with their systems: "IRIX Advanced Site 
and Server Administrative Guide" (see the chapter on System Security).
More information on this vulnerability and how it can be addressed can be
obtained from

3. Network Scanning

We continue to receive several reports each week of intruders using the
Internet Security Scanner (ISS) to scan both individual hosts and large IP
address ranges. The ISS tool, which is described in CERT advisory CA-93:14
"Internet Security Scanner", interrogates all computers within a specified
IP address range, determining the security posture of each with respect to
several common system vulnerabilities. Intruders use the information
gathered from such scans to gain unauthorized access to the scanned sites.

As part of a defensive strategy, you may want to consider running ISS against
your own site (in accordance with your organization's policies and procedures)
to identify any possible system weaknesses or vulnerabilities, taking steps to
implement security fixes that may be necessary. ISS is available from

More information about the ISS tool and steps for protecting your site are 
outlined in the following documents:

4. Sendmail Attacks

New reports of intruders attacking sites through sendmail vulnerabilities are
continuing to arrive daily, although most reports indicate the attacks have
failed. The types of attacks are varied, but most are aimed at gaining
privileged access to the victim machine.

We encourage sites to combat these threats by taking the appropriate steps,
described in the following documents:

What's New in the CERT FTP Archive
We have made the following changes since the last CERT Summary (September 26,

* New Additions


    VB-95:07.abell (lsof)


* Updated Files

    CA-93:16a.README (sendmail - note to use smrsh with all versions)
    CA-95:05.README (sendmail - date of Digital Equipment's patch)
    CA-95:08.README (sendmail - note to use smrsh with all versions)
    CA-95:10.README (ghostscript - patches and explanations)
    CA-95:13.README (syslog - information from vendors)
    CA-95:14.README (telnetd - information from vendors; correction to
                     compilation example)
    README (more recent email address for COPS author Dan Farmer)

How to Contact the CERT Coordination Center


Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories 
and bulletins, send your email address to

CERT advisories and bulletins are posted on the USENET news group

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the email be encrypted.  
We can support a shared DES key, PGP, or PEM (contact CERT staff for details).

Location of CERT PGP key

Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.