TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
INTERNET RISK UPDATE for 07-02-2002 ISS X-Force Internet Threat Intelligence Center www.iss.net - Click on the AlertCon logo for more information. Internet Security Systems' X-Force Releases Q2 2002 Internet Risk Impact Summary Report: Internet Risk Continues to Rise as Hybrid Threats Remain the Most Significant Online Threat. Download the PDF version at our web site. ******************************************** ALERTCON 2 Projected: AlertCon 2 ******************************************** ALERTCON 2 - We are at AlertCon 2. A worm is currently propagating in the wild with Apache exploit code. Because of the seriousness of this risk, we are watching the situation closely and will raise the risk factor if we observe focused attacks. VULNERABILITIES: OpenSSH Remote Challenge Vulnerability Synopsis: ISS X-Force has discovered a serious vulnerability in the default installation of OpenSSH on the OpenBSD operating system. OpenSSH is a free version of the SSH (Secure Shell) communications suite and is used as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and Ftp. OpenSSH employs end-to-end encryption (including all passwords) and is resistant to network monitoring, eavesdropping, and connection hijacking attacks. X-Force is aware of active exploit development for this vulnerability. Apache: X-Force has verified that this issue is exploitable on Apache HTTP Server for Windows (Win32) version 1.3.24 as well as Apache HTTP Server version 1.3.24 for OpenBSD. It has been reported that exploit code has been developed for the following operating systems and platforms: Sun Solaris 6-8 (sparc/x86); FreeBSD 4.3-4.5 (x86); OpenBSD 2.6-3.1 (x86); and Linux (GNU) 2.4 (x86). These vulnerabilities may lead to modified Web content, denial of service, or further compromise. Apache accounts for over 63% of all active Web sites. Microsoft has released an update of its MS02-028 Security Bulletin and upgraded the risk to critical. VIRUSES/WORMS: BSD/Scalper.worm - This worm spreads over Apache web servers on FreeBSD by using the Chunked Encoding exploit. It first sends an ordinary request to the server. If it gets back a reply saying that the server is a vulnerable one "FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)" or "FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)", it will send the exploit. The worm appears to give an attacker remote control abilities, including DDoS capability. ******************************************** RECOMMENDATIONS ******************************************** OpenSSH: ISS X-Force recommends that system administrators disable unused OpenSSH authentication mechanisms. For further information on this solution and affected products, please review the advisory. http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 Apache: The X-Force has released an advisory with patching instructions for the default setting of the Apache HTTP Server. This advisory requires immediate action on behalf of all system users with Apache HTTP Server. See Apache for additional details. http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524 http://httpd.apache.org/info/security_bulletin_20020617.txt Microsoft Security Bulletin: http://www.microsoft.com/technet/security/bulletin/MS02-028.asp For a list of current vulnerabilities, please see: https://gtoc.iss.net/vulnerabilities.php For information on the current Virus/Worm of the day, please refer to: http://vil.nai.com/vil/content/v_99539.htm Information regarding other viruses and worms please see: https://gtoc.iss.net/viruses.php ******************************************** FACTOID: Well over six million Web sites running Apache have already upgraded to Apache 1.3.26. According to Netcraft, about 14 million potentially vulnerable sites using Apache remain. ******************************************** ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total ******************************************** Pre-Attack Probe 34.87% Protocol Violation 31.78% Unauthorized Access Attempt 14.57% Denial Of Service 09.38% Suspicious Activity 09.29% Back Door 00.11% ******************************************** TOP ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ports (ports found at) http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html ******************************************** 80 (http) 41.70% 21 (ftp) 37.54% 25 (smtp) 05.79% 23 (telnet) 05.71% 161 (SNMP) 02.94% 69 (tftp) 02.34% 123 (NetController) 01.43% 22 (ssh) 01.22% 1433 (SQL) 00.69% 139 (netbios) 00.64% ******************************************** BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER ******************************************** Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 - Internet risk baseline reflecting the malicious, determined, global, 24/7 attacks experienced by all networks connected to the Internet. In simple terms, AlertCon 1 indicates that a newly configured computer will be compromised within 24 hours of first being connected to the Internet. AlertCon 2 means increased vigilance is necessary. The potential exists for increased risk because of new vulnerabilities or credible threats to the confidentiality, integrity, and/or availability of computer networks. Some degree of vulnerability assessment and potential corrective action is recommended. AlertCon 3 reflects focused attacks. Internet attacks have been noted against specific vulnerabilities or inherent information system weaknesses. Immediate defensive action is required. AlertCon 4 means an actual or potentially catastrophic security situation has arisen within a network or group of networks whose survival depends on immediate and focused defensive action. This condition may be imminent or ongoing. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2002 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Risk electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: mailto:[EMAIL PROTECTED] or mailto:[EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, X-Force Internet Threat Intelligence Center Internet | Security | Systems The Power To Protect www.iss.net
