home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Nebula 2
/
Nebula Two.iso
/
Documents
/
CERT
/
cert_summaries
/
CS-95:03
< prev
next >
Wrap
Text File
|
1996-02-15
|
7KB
|
185 lines
---------------------------------------------------------------------------
CERT Summary CS-95:03
November 28, 1995
The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response staff. The summary includes pointers to sources of information for
dealing with the problems. We also list new or updated files that are
available for anonymous FTP from ftp://info.cert.org
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries
---------------------------------------------------------------------------
Recent Activity
---------------
Since the September CERT Summary, we have seen these continuing trends in
incidents reported to us. The majority of reported incidents fit into four
categories:
1. Packet Sniffers
We continue to see daily incident reports about intruders who have installed
sniffers on compromised systems. These sniffers, used to collect account names
and passwords, are frequently installed with a kit that includes Trojan horse
binaries. The Trojan horse binaries hide the sniffer activity on the systems
on which they are installed.
For further information and methods for detecting packet sniffers and Trojan
horses, see the following files:
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/cert_advisories/CA-94:01.README
ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksum
ftp://info.cert.org/pub/cert_advisories/CA-94:05.README
2. Exploitation of SGI lp Vulnerability
The vulnerability described in CERT advisory, CA:95:15 "SGI lp Vulnerability"
continues to be exploited, though we have seen a decline in the number of
reports since the advisory was released on November 8. Intruders gain
unauthorized access to Silicon Graphics, Inc. (SGI) IRIX systems through a
passwordless lp account; they use this initial access to leverage additional
privileges on the compromised system.
As distributed by SGI, the lp account (as well as other accounts), has no
password on a newly installed system. This fact is addressed in the
documentation that SGI distributes with their systems: "IRIX Advanced Site
and Server Administrative Guide" (see the chapter on System Security).
More information on this vulnerability and how it can be addressed can be
obtained from
ftp://info.cert.org/pub/cert_advisories/CA-95:15.SGI.lp.vul
3. Network Scanning
We continue to receive several reports each week of intruders using the
Internet Security Scanner (ISS) to scan both individual hosts and large IP
address ranges. The ISS tool, which is described in CERT advisory CA-93:14
"Internet Security Scanner", interrogates all computers within a specified
IP address range, determining the security posture of each with respect to
several common system vulnerabilities. Intruders use the information
gathered from such scans to gain unauthorized access to the scanned sites.
As part of a defensive strategy, you may want to consider running ISS against
your own site (in accordance with your organization's policies and procedures)
to identify any possible system weaknesses or vulnerabilities, taking steps to
implement security fixes that may be necessary. ISS is available from
ftp://info.cert.org/pub/tools/iss/iss13.tar
More information about the ISS tool and steps for protecting your site are
outlined in the following documents:
ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
ftp://info.cert.org/pub/cert_advisories/CA-93:14.README
ftp://info.cert.org/pub/tech_tips/security_info
ftp://info.cert.org/pub/tech_tips/packet_filtering
4. Sendmail Attacks
New reports of intruders attacking sites through sendmail vulnerabilities are
continuing to arrive daily, although most reports indicate the attacks have
failed. The types of attacks are varied, but most are aimed at gaining
privileged access to the victim machine.
We encourage sites to combat these threats by taking the appropriate steps,
described in the following documents:
ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
ftp://info.cert.org/pub/cert_advisories/CA-95:05.README
ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-95:08.README
ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
ftp://info.cert.org/pub/cert_advisories/CA-95:11.README
What's New in the CERT FTP Archive
----------------------------------
We have made the following changes since the last CERT Summary (September 26,
1995).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-95:12.sun.loadmodule.vul
CA-95:13.syslog.vul
CA-95:14.Telnetd_Environment_Vulnerability
CA-95:15.SGI.lp.vul
ftp://info.cert.org/pub/cert_bulletins/
VB-95:07.abell (lsof)
VB-95-08.X_Authentication_Vul
ftp://info.cert.org/pub/tools/sendmail
sendmail/sendmail.8.7.1.tar
sendmail/sendmail.8.7.1.tar.Z
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-93:16a.README (sendmail - note to use smrsh with all versions)
CA-95:05.README (sendmail - date of Digital Equipment's patch)
CA-95:08.README (sendmail - note to use smrsh with all versions)
CA-95:10.README (ghostscript - patches and explanations)
CA-95:13.README (syslog - information from vendors)
CA-95:14.README (telnetd - information from vendors; correction to
compilation example)
ftp://info.cert.org/pub/tools/cops
README (more recent email address for COPS author Dan Farmer)
---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
To be added to our mailing list for CERT advisories
and bulletins, send your email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the email be encrypted.
We can support a shared DES key, PGP, or PEM (contact CERT staff for details).
Location of CERT PGP key
ftp://info.cert.org/pub/CERT.PGP_key
---------------------------------------------------------------------------
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.