TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET THREAT UPDATE for 01-07-2002 ISS X-Force Special Operations Group www.iss.net - Click on 'Current Internet Threat' for more information. ****************************************************** ALERTCON 1 Projected: AlertCon 1 ****************************************************** - - We are at AlertCon 1. AOL advised that it has implemented a server-side fix for the vulnerability in its AOL Instant Messenger (AIM) meaning that customers will not have to download the patch. As earlier reported, the security bug affected AOL Instant Messenger (AIM) version 4.7 and the 4.8 beta, or test version. Only AIM users running Microsoft's Windows operating system are vulnerable. - - In the Linux world, FreeBSD has issued an advisory regarding mod_auth_pgsql, an Apache module that allows the Apache web server to use a PostgreSQL database for user and/or group authentication. The impact of this is that a remote user may insert arbitrary SQL code into the username during authentication, leading to several exploit opportunities. - - Still in the Linux world, a dangerous version of a remote control virus may be in the wild. The virus appears to be a smarter variant of the Remote Shell Trojan (RST), discovered last September, that infects programs written for Linux. This variant is designed to infect binary files in the Linux Executable and Linking Format (ELF) and create a back door on an infected system that gives a remote hacker full control. - - We continue to see many nuisance mass mailer worms in the wild, such as the iterations of Maldal, GOP-A, Hybris-C and a new Trojan named DLDER.A. With folks coming back to work after the holidays, expect numerous e-mail problems associated with these socially engineered worms. Sysadmins are strongly encouraged to ensure that their anti-virus solution of choice is updated with current signatures. - ------------------------------------------------------ RECOMMENDATIONS - ------------------------------------------------------ - - X-Force Advisory regarding the AIM vulnerability: http://xforce.iss.net/alerts/advise107.php - - For information regarding the FreeBSD vulnerability: http://www.linuxsecurity.com/advisories/freebsd_advisory-1783.html - - For information regarding the ELF variant, see: http://www.newsbytes.com/news/02/173408.html - - For an excellent home/small office firewall solution, please see: http://www.networkice.com/ - - For information regarding the current worms and viruses moving across the Internet see: http://www.antivirus.com/vinfo/ - ------------------------------------------------------ ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total - ------------------------------------------------------ Protocol Decode 32.36% Unauthorized Access Attempt 31.36% Pre-Attack Probe 14.20% Denial Of Service 12.18% Suspicious Activity 09.11% Back Door 00.80% - ------------------------------------------------------ TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.networkice.com/Advice/Exploits/Ports/default.htm - ------------------------------------------------------ 80 (http) 67.38% 22 (ssh) 21.70% 21 (ftp) 03.90% 515 (lp,lpr,printer) 01.96% 6346 (unassigned) 01.14% 69 (tftp) 01.12% 25 (smtp) 00.83% 31337 (unassigned) 00.79% 443 (ssl) 00.55% - ------------------------------------------------------ BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER - ------------------------------------------------------ Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, X-Force Internet Threat Intelligence Center Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPDn3+pG41ROSQPncEQJRRwCfWCCaEOqaVtguemkaDDz32iHnvW4Anj4M IQ9RCOnzSyo1oYdcLddTbizX =nTBN -----END PGP SIGNATURE-----
