>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >CERT Summary CS-99-04 > > November 23, 1999 > > Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT > summary to draw attention to the types of attacks reported to our > incident response team, as well as other noteworthy incident and > vulnerability information. The summary includes pointers to sources of > information for dealing with the problems. > > Past CERT summaries are available from > http://www.cert.org/summaries/ > ______________________________________________________________________ > >Reminder: New CERT/CC PGP Key > > On October 4, 1999, the PGP key for the CERT/CC was replaced with a > new PGP key. For more information, see > > http://www.cert.org/contact_cert/encryptmail.html > ______________________________________________________________________ > >"CERT/CC Current Activity" Web Page > > The CERT/CC Current Activity web page is a regularly updated summary > of the most frequent, high-impact types of security incidents and > vulnerabilities currently being reported to the CERT/CC. It is > available from > > http://www.cert.org/current/current_activity.html > > The information on the Current Activity page will be reviewed and > updated as reporting trends change. > ______________________________________________________________________ > >Year 2000 (Y2K) Information > > The CERT/CC has published information regarding the Y2K problem: > > Y2K Information > http://www.cert.org/y2k-info/ > ______________________________________________________________________ > >Recent Activity > > Since the last CERT summary, issued in August 1999 (CS-99-03), we have > published advisories on WU-FTPD, BIND, CDE, and AMD. We have also > analyzed and published information regarding distributed intruder > tools. Among other activity, we continue to see widespread scans for > known vulnerabilities. > > 1. Distributed Intruder Tools > Denial of Service > We have received reports of intruders compromising machines in > order to install distributed systems used for launching packet > flooding denial-of-service attacks. The systems typically contain > a small number of servers and a large number of clients. These > reports indicate that machines participating in such distributed > systems are likely to have been root compromised. You can find > more information in > > CERT Incident Note 99-07 > http://www.cert.org/incident_notes/IN-99-07.html > > Sniffer > We have received reports of intruders using distributed network > sniffers to capture usernames and passwords. The distributed > sniffer consists of a client and a server portion. As of this > summary, the sniffer clients have been found exclusively on > compromised Linux hosts. For more information please see > > CERT Incident Note 99-06 > http://www.cert.org/incident_notes/IN-99-06.html > > 2. CDE Vulnerabilities > Multiple vulnerabilities have been identified in some > distributions of the Common Desktop Environment (CDE). These > vulnerabilities are different from those discussed in CA-98.02 and > can lead to intruders gaining root access on vulnerable systems. > For more information please see > > CERT Advisory CA-99-11 > http://www.cert.org/advisories/CA-99-1-CDE.html > > 3. BIND Vulnerabilities > Several vulnerabilities have been found in BIND, the popular > domain name server from the Internet Software Consortium (ISC). > One of these vulnerabilities may allow remote intruders to gain > privileged access to name servers. The others can severely disrupt > the operation of the name server. For more information, please see > > CERT Advisory CA-99-14 > http://www.cert.org/advisories/CA-99-14-bind.html > > 4. WU-FTPD Vulnerabilities > Three vulnerabilities have been identified in WU-FTPD and other > ftp daemons based on the WU-FTPD source code. WU-FTPD is a common > package used to provide File Transfer Protocol (FTP) services. > Remote and local intruders may be able to exploit these > vulnerabilities to execute arbitrary code as the user running the > ftp daemon (usually root). Incidents involving the first of these > three vulnerabilities have been reported to the CERT Coordination > Center. For more information please see > > CERT Advisory CA-99-13 > http://www.cert.org/advisories/CA-99-13-wuftpd.html > > 5. AMD Vulnerabilities > There is a buffer overflow vulnerability in the logging facility > of the amd daemon. This daemon automatically mounts file systems > in response to attempts to access files that reside on those file > systems. Remote intruders can exploit this vulnerability to > execute arbitrary code as the user running the amd daemon (usually > root). For more information see > > CERT Advisory CA-99-12 > http://www.cert.org/advisories/CA-99-12-amd.html > > We have received reports regarding exploits of this > vulnerability. For more information please see > > CERT Incident Note 99-05 > http://www.cert.org/incident_notes/IN-99-05.html > > 6. RPC Vulnerabilities > We continue to receive reports of exploitations involving three > RPC vulnerabilities: rpc.cmsd, ttdbserverd, and statd/automountd. > These exploitations can lead to root compromise on systems that > implement vulnerable RPC services. Analysis has shown that similar > artifacts have been found on compromised systems. For more > information on the vulnerabilities please see > CERT Incident Note 99-04 > http://www.cert.org/incident_notes/IN-99-04.html > CERT Advisory CA-99-08 > http://www.cert.org/advisories/CA-99-08-cmsd.html > CERT Advisory CA-99-05 > http://www.cert.org/advisories/CA-99-05-statd-automountd.html > CERT Advisory CA-98-11 > http://www.cert.org/advisories/CA-98.11.tooltalk.html > 7. Virus and Trojan Horse Activity > We continue to see reports of virus activity. Current versions of > anti-virus software can help to protect your systems from these > viruses. > It is important to take great caution with any email or Usenet > attachments that contain executable content. If you receive a > message containing attachments, scan the message file with > anti-virus software before you open or run the file. Doing this > does not guarantee that the contents of the file are safe, but it > lowers your risk of virus infection by checking for viruses and > Trojan horses that your scanning software can detect. > CERT/CC has published a Virus Resources page that includes > information on > > Frequently Asked Questions (FAQs) about Computer Viruses > > Hoax and Chain Letter Databases > > Virus Databases > > Virus Organizations and Publications > > Anti-Virus Vendors > > Virus Related Papers > > Please see > > Virus Resources > http://www.cert.org/other_sources/viruses.html > > 8. Continued Widespread Scans > We continue to receive reports of scanning and probing activity. > The most frequent reports tend to involve services that have > well-known vulnerabilities. Hosts continue to be affected by > exploitation of well-known vulnerabilities in these services. > sunrpc (TCP port 111) and mountd (635) > http://www.cert.org/advisories/CA-98.12.mountd.html > http://www.cert.org/incident_notes/IN-99-04.html > IMAP (TCP port 143) > http://www.cert.org/advisories/CA-98.09.imapd.html > POP3 (TCP port 110) > http://www.cert.org/advisories/CA-98.08.qpopper_vul.html > DNS (TCP port 53 [domain]) > http://www.cert.org/advisories/CA-98.05.bind_problems.html > http://www.cert.org/advisories/CA-97.22.bind.html > ______________________________________________________________________ > >What's New and Updated > > Since the last CERT summary, we have developed new and updated > * Advisories > * CERT statistics > * Incident notes > * Tech tips/FAQs > * Y2K information > > There are descriptions of these documents and links to them on our > "What's New" web page at > http://www.cert.org/nav/whatsnew.html > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/summaries/CS-99-04.html > ______________________________________________________________________ > >CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > >Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > >Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To be added to our mailing list for advisories and bulletins, send > email to [EMAIL PROTECTED] and include SUBSCRIBE > your-email-address in the subject of your message. > > Copyright 1999 Carnegie Mellon University. > Conditions for use, disclaimers, and sponsorship information can be > found in > > http://www.cert.org/legal_stuff.html > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > >-----BEGIN PGP SIGNATURE----- >Version: PGP for Personal Privacy 5.0 >Charset: noconv > >iQA+AwUBODsBglr9kb5qlZHQEQIvZACbBrc75HYvuxT/JZDa778JBH3eWcAAlR1S >AFgkAYyLg3U8XXq5dhCRR0g= >=Oqqs >-----END PGP SIGNATURE-----