North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

CERT Summary CS-95:03

  • From: CERT Advisory
  • Date: Tue Nov 28 11:08:29 1995

---------------------------------------------------------------------------
CERT Summary CS-95:03
November 28, 1995

The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response staff. The summary includes pointers to sources of information for
dealing with the problems. We also list new or updated files that are
available for anonymous FTP from ftp://info.cert.org

Past CERT Summaries are available from 
     ftp://info.cert.org/pub/cert_summaries
---------------------------------------------------------------------------

Recent Activity 
--------------- 

Since the September CERT Summary, we have seen these continuing trends in
incidents reported to us. The majority of reported incidents fit into four
categories:

1. Packet Sniffers

We continue to see daily incident reports about intruders who have installed
sniffers on compromised systems. These sniffers, used to collect account names
and passwords, are frequently installed with a kit that includes Trojan horse
binaries. The Trojan horse binaries hide the sniffer activity on the systems
on which they are installed.

For further information and methods for detecting packet sniffers and Trojan
horses, see the following files:

  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
  ftp://info.cert.org/pub/cert_advisories/CA-94:01.README
  ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksum
  ftp://info.cert.org/pub/cert_advisories/CA-94:05.README


2. Exploitation of SGI lp Vulnerability 

The vulnerability described in CERT advisory, CA:95:15 "SGI lp Vulnerability"
continues to be exploited, though we have seen a decline in the number of
reports since the advisory was released on November 8. Intruders gain
unauthorized access to Silicon Graphics, Inc. (SGI) IRIX systems through a
passwordless lp account; they use this initial access to leverage additional
privileges on the compromised system.

As distributed by SGI, the lp account (as well as other accounts), has no
password on a newly installed system. This fact is addressed in the
documentation that SGI distributes with their systems: "IRIX Advanced Site 
and Server Administrative Guide" (see the chapter on System Security).
More information on this vulnerability and how it can be addressed can be
obtained from

  ftp://info.cert.org/pub/cert_advisories/CA-95:15.SGI.lp.vul


3. Network Scanning

We continue to receive several reports each week of intruders using the
Internet Security Scanner (ISS) to scan both individual hosts and large IP
address ranges. The ISS tool, which is described in CERT advisory CA-93:14
"Internet Security Scanner", interrogates all computers within a specified
IP address range, determining the security posture of each with respect to
several common system vulnerabilities. Intruders use the information
gathered from such scans to gain unauthorized access to the scanned sites.

As part of a defensive strategy, you may want to consider running ISS against
your own site (in accordance with your organization's policies and procedures)
to identify any possible system weaknesses or vulnerabilities, taking steps to
implement security fixes that may be necessary. ISS is available from

  ftp://info.cert.org/pub/tools/iss/iss13.tar

More information about the ISS tool and steps for protecting your site are 
outlined in the following documents:

  ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
  ftp://info.cert.org/pub/cert_advisories/CA-93:14.README
  ftp://info.cert.org/pub/tech_tips/security_info
  ftp://info.cert.org/pub/tech_tips/packet_filtering


4. Sendmail Attacks

New reports of intruders attacking sites through sendmail vulnerabilities are
continuing to arrive daily, although most reports indicate the attacks have
failed. The types of attacks are varied, but most are aimed at gaining
privileged access to the victim machine.

We encourage sites to combat these threats by taking the appropriate steps,
described in the following documents:

  ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
  ftp://info.cert.org/pub/cert_advisories/CA-95:05.README
  ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
  ftp://info.cert.org/pub/cert_advisories/CA-95:08.README
  ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
  ftp://info.cert.org/pub/cert_advisories/CA-95:11.README


What's New in the CERT FTP Archive
----------------------------------
We have made the following changes since the last CERT Summary (September 26,
1995). 

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-95:12.sun.loadmodule.vul
    CA-95:13.syslog.vul
    CA-95:14.Telnetd_Environment_Vulnerability
    CA-95:15.SGI.lp.vul

ftp://info.cert.org/pub/cert_bulletins/

    VB-95:07.abell (lsof)
    VB-95-08.X_Authentication_Vul

ftp://info.cert.org/pub/tools/sendmail

    sendmail/sendmail.8.7.1.tar 
    sendmail/sendmail.8.7.1.tar.Z


* Updated Files 

ftp://info.cert.org/pub/cert_advisories/

    CA-93:16a.README (sendmail - note to use smrsh with all versions)
    CA-95:05.README (sendmail - date of Digital Equipment's patch)
    CA-95:08.README (sendmail - note to use smrsh with all versions)
    CA-95:10.README (ghostscript - patches and explanations)
    CA-95:13.README (syslog - information from vendors)
    CA-95:14.README (telnetd - information from vendors; correction to
                     compilation example)

ftp://info.cert.org/pub/tools/cops
    README (more recent email address for COPS author Dan Farmer)


---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories 
and bulletins, send your email address to

        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group

         comp.security.announce

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the email be encrypted.  
We can support a shared DES key, PGP, or PEM (contact CERT staff for details).

Location of CERT PGP key

         ftp://info.cert.org/pub/CERT.PGP_key

---------------------------------------------------------------------------
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.