TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET RISK UPDATE for 06-06-2002 ISS X-Force Internet Threat Intelligence Center www.iss.net - Click on the AlertCon logo for more information. ******************************************** ALERTCON 2 Projected: AlertCon 2 ******************************************** ALERTCON 2 - We are at AlertCon level to 2 because of a serious vulnerability in the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) concerning version 9, below version 9.2.1. and Sun Solaris vulnerabilities. Vulnerabilities: BIND: ISS X-Force has learned of a serious vulnerability in ISC BIND 9 that may allow remote attackers to disable BIND servers. ISC BIND and its derivatives are the most prevalent DNS (Domain Name Service) servers on the Internet. DNS is used to translate IP addresses to their corresponding host and domain names. Attackers may use this vulnerability to scan for and disable DNS servers. Impact: DNS is a core component of the Internet and is responsible for translating IP addresses into domain names for all Internet-linked computers, including all Web servers. If DNS is attacked locally or en masse, it may result in local or widespread Internet instability. Solaris: Sun has announced an advisory for vulnerabilities on the 'mibiisa' agent and the 'snmpdx' daemon. Both are processes that run on port 161 for SNMP requests. These agents run as daemons with root privileges on the system. A format string vulnerability was discovered in the 'snmpdx' daemon and a buffer over flow was found in 'mibiisa', which may be exploited by a remote hacker to gain root access. VIRUSES/WORMS: I have received several calls and e-mails regarding a new Worm called VBS/VBSWG-AQ. This is a Visual Basic Worm and can be removed like all other Worms. It's time once again to advise people to disable VBS in clients that don't need it. It is a common form of virus executable that takes advantage of the default "on" for .vbs in Microsoft software. Please refer to the following site for disabling .vbs: http://www.f-secure.com/virus-info/u-vbs ******************************************** RECOMMENDATIONS ******************************************** ISS X-Force recommends that all BIND administrators upgrade to BIND version 9.2.1, which has been available since May 2002. BIND version 9.2.1 is available at the following: http://www.isc.org/products/BIND/ http://www.iss.net/security_center/alerts/advise11 9.php Solaris: Sun recommends that you install the patches immediately on systems running the Sun Solstice Enterprise Master Agent, snmpdx(1M), and the Sun SNMP Agent, mibiisa(1M), on SunOS 5.8, 5.7, and 5.6. <http://sunsolve.sun.com/pub-cgi/show.pl?target=pa tches/patch-license&nav=pub-patches> For a list of current vulnerabilities, please see: https://gtoc.iss.net/vulnerabilities.php Information regarding viruses and worms please see: https://gtoc.iss.net/viruses.php ******************************************** FACTOID: President Bush will announce today the creation of a new government agency that will serve as a clearinghouse for intelligence information on terrorism, administration sources said. It is unclear how the new agency -- which would collect and share information about terrorist threats -- would interact with the Office of Homeland Security; created in the wake of the September 11 terrorist attacks. ******************************************** ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total ******************************************** Suspicious Activity 37.91% Protocol Decode 30.23% Unauthorized Access Attempt 19.95% Denial Of Service 05.99% Pre-Attack Probe 05.76% Back Door 00.16% ******************************************** TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.neohapsis.com/neolabs/neo-ports/neo-por ts.html ******************************************** 80 (http) 60.52% 1433 (SQL) 23.59% 25 (smtp) 05.29% 23 (telnet) 03.74% 21 (ftp) 02.01% 515 (printer) 01.57% 161 (SNMP) 01.18% 69 (tftp) 00.93% 53 (DNS) 00.61% 22 (ssh) 00.55% ******************************************** BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER ******************************************** Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2002 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Risk electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. You can download the public key from MIT's PGP key server and PGP.com's key server. Patrick Gray Manager, X-Force Internet Threat Intelligence Center Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPP93yJG41ROSQPncEQJ9UQCeIivGDK6qf05KabQHZCPMy2KqWDQAoKyi r9kZR66DZSGzkmmKKz7wpjXV =yY19 -----END PGP SIGNATURE-----
