FedCIRC Advisory FA-99-04
                                       
   February 23, 1999
   
   The CERT Coordination Center periodically issues the CERT summary to
   draw attention to the types of attacks currently being reported to our
   incident response team, as well as to other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.
   
   Past CERT summaries are available from
   [1]http://www.cert.org/summaries/
   ______________________________________________________________________
   
Recent Activity

   Since the last CERT summary, issued in December 1998 ([2]CS-98.08), we
   have seen these trends in incidents reported to us.
    1. Widespread Scans
       We continue to receive numerous daily reports of intruders using
       tools to scan networks for multiple vulnerabilities. Intruder
       scanning tools continue to become more sophisticated.
       On January 28, 1999, we published an incident note describing a
       new scanning tool that searches for multiple known vulnerabilities
       on remote systems. The tool incorporates probes for known
       vulnerabilities, remote operating system identification, and a
       scripting language that simplifies automation of probes and
       exploitation attempts. For more information, see our incident note
       at
       [3]http://www.cert.org/incident_notes/IN-99-01.html
       Reports also indicate that scanning techniques addressed in
       previous CERT incident notes, such as scripted tools and stealth
       scanning, are still being employed by intruders. For more
       information, see
          + [4]http://www.cert.org/incident_notes/IN-98-06.html
          + [5]http://www.cert.org/incident_notes/IN-98-05.html
          + [6]http://www.cert.org/incident_notes/IN-98.04.html
          + [7]http://www.cert.org/incident_notes/IN-98.02.html
       The daily reports of widespread scans and exploitation attempts
       involve many vulnerabilities; however, the most frequent reports
       involve activity with well-known vulnerabilities in "mountd",
       "imap", and "pop3" services for which CERT advisories have been
       published. These services are installed and enabled by default in
       some operating systems. The scans and exploitation attempts still
       result in sites being compromised. See the following advisories
       for more information:
          + sunrpc (tcp port 111) and mountd (635)
            [8]http://www.cert.org/advisories/CA-98.12.mountd.html
          + imap (tcp port 143)
            [9]http://www.cert.org/advisories/CA-98.09.imapd.html
          + pop3 (tcp port 110)
            [10]http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
       We encourage you to make sure that all systems at your site are up
       to date with patches and that your machines are properly secured.
    2. Back Orifice and NetBus We continue to receive daily reports of
       incidents involving Windows-based "remote administration" programs
       such as Back Orifice and NetBus. Occasionally these are reports of
       compromised machines that have one of these tools installed.
       However, the majority of these reports involve sites that have
       detected intruders scanning for the presence of these tools. These
       scans may appear as unauthorized traffic as follows:
          + NetBus - connection requests (SYN) packets to TCP ports
            12345, 12346, or 20034
          + Back Orifice - UDP packets to port 31337
       Keep in mind that these tools can be configured to listen on
       different ports. Because of this, we encourage you to investigate
       any unexplained network traffic.
       For more information about Back Orifice, review CERT vulnerability
       note VN-98.07:
       [11]http://www.cert.org/vul_notes/VN-98.07.backorifice.html
    3. Trojan Horse Programs
       Over the past few months, we have seen an increase in the number
       of incident reports related to Trojan horse programs affecting
       both Windows and UNIX platforms.
          + CERT advisory CA-99-02 includes descriptions of several
            recent incidents involving Trojan horse programs, including a
            false upgrade to Internet Explorer, a Trojan horse version of
            TCP Wrappers, and a Trojan horse version of util-linux. The
            advisory also provides advice for system and network
            administrators, end users, software developers, and
            distributors. The advisory is available from
            [12]http://www.cert.org/advisories/CA-99-02-Trojan-Horses.htm
            l
          + CERT advisory CA-99-01, discusses the Trojan horse version of
            TCP Wrappers in greater detail, and provides information on
            how to verify the integrity of your TCP Wrappers
            distribution.
            [13]http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappe
            rs.html
    4. FTP Buffer Overflows
       Very recently, we have received a few reports of intruders
       scanning for and exploiting a remote buffer overflow vulnerability
       in various FTP servers. By supplying carefully designed commands
       to the FTP server, intruders can force the server to execute
       arbitrary commands with root privilege. Intruders can exploit the
       vulnerability remotely to gain administrative access. We encourage
       you to review text provided by Netect, Inc. in CERT advisory
       CA-99-03, which describes the ftpd vulnerability in more detail.
       The advisory is available from
       [14]http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.h
       tml
       __________________________________________________________________
       
       What's New and Updated Since the last CERT summary, we have
       developed new and updated
          + Advisories
          + Incident notes
          + Security improvement modules
          + Technical reports
          + The CERT/CC 1998 Annual Report
          + Computer Security Incident Response Team (CSIRT) Handbook
          + Incident response courses
       There are descriptions of these documents and links to them on our
       What's New web page at
       [15]http://www.cert.org/nav/whatsnew.html
       __________________________________________________________________
       
       This document is available from:
       [16]http://www2.fedcirc.gov/advisories/FA-99-04.html
       __________________________________________________________________
       
       FedCIRC Contact Information
       
        Email: [17]fedcirc@fedcirc.gov
                Phone: +1 888-282-0870 (24-hour toll-free hotline)
                Phone: +1 412-268-6321 (24-hour hotline)
                Fax: +1 412-268-6989
                Postal address:
                FedCIRC CERT Coordination Center
                Software Engineering Institute
                Carnegie Mellon University
                Pittsburgh PA 15213-3890
                U.S.A.
                
       FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.
       Using encryption
       We strongly urge you to encrypt sensitive information sent by
       email. Our public PGP key is available from
        [18]http://www2.fedcirc.gov/keys.html
       If you prefer to use DES, please call the FedCIRC hotline for more
       information.
       Getting security information FedCIRC publications and other
       security information are available from our web site
        [19]http://www.fedcirc.gov/
       FedCIRC (Federal Computer Incident Response Capability) is
       operated by the CERT/CC for the U.S. General Services
       Administration. FedCIRC provides security services to U.S. Federal
       civilian agencies.
       Copyright 1999 Carnegie Mellon University.
       Conditions for use, disclaimers, and sponsorship information can
       be found in
        [20]http://www.cert.org/legal_stuff.html
       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.
       __________________________________________________________________
       
       NO WARRANTY
       Any material furnished by Carnegie Mellon University and the
       Software Engineering Institute is furnished on an "as is" basis.
       Carnegie Mellon University makes no warranties of any kind, either
       expressed or implied as to any matter including, but not limited
       to, warranty of fitness for a particular purpose or
       merchantability, exclusivity or results obtained from use of the
       material. Carnegie Mellon University does not make any warranty of
       any kind with respect to freedom from patent, trademark, or
       copyright infringement.

References

   1. http://www2.fedcirc.gov/summaries/
   2. http://www2.fedcirc.gov/summaries/CS-98.08.html
   3. http://www.cert.org/incident_notes/IN-99-01.html
   4. http://www.cert.org/incident_notes/IN-98-06.html
   5. http://www.cert.org/incident_notes/IN-98-05.html
   6. http://www.cert.org/incident_notes/IN-98.04.html
   7. http://www.cert.org/incident_notes/IN-98.02.html
   8. http://www.cert.org/advisories/CA-98.12.mountd.html
   9. http://www.cert.org/advisories/CA-98.09.imapd.html
  10. http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
  11. http://www.cert.org/vul_notes/VN-98.07.backorifice.html
  12. http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
  13. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
  14. http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
  15. http://www.cert.org/nav/whatsnew.html
  16. http://www2.fedcirc.gov/advisories/FA-99-04.html
  17. mailto:fedcirc@fedcirc.gov
  18. http://www2.fedcirc.gov/keys.html
  19. http://www.fedcirc.gov/
  20. http://www.cert.org/legal_stuff.html