Date: Thu, 11 Jun 1998 16:02:33 -0400
From: CERT Advisory <[email protected]>
To: [email protected]Subject: CERT Summary CS-98.06
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT* Summary CS-98.06
June 11, 1998
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
incident response team. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT Summaries are available from
http://www.cert.org/summaries/ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
Since the last regularly scheduled CERT Summary issued in March 1998
(CS-98.03), we have seen these trends in incidents reported to us.
1. Multiple Vulnerabilities in BIND
In two previous special edition CERT Summaries, CS-98.04 and CS-98.05, we
discussed several attack methods being used to exploit
vulnerabilities in BIND. CS-98.04 and CS-98.05 are available from
http://www.cert.org/summaries/CS-98.04.htmlhttp://www.cert.org/summaries/CS-98.05.html
We have observed several changes to the methods of attack used to
exploit the BIND vulnerabilities. Exploitation of these
vulnerabilities might allow a remote intruder to gain privileged
(root) access on your domain name server or to disrupt normal
operation of your domain name server.
Although the methods of attack are being modified, these attacks
are still exploiting vulnerabilities described in CERT advisory
CA-98.05. We encourage you to review this advisory, which describes
the BIND buffer overflow vulnerability, and to apply the
appropriate patches if you have not done so already. The advisory
is available at
http://www.cert.org/advisories/CA-98.05.bind_problems.html
2. Scans to Port 1/tcpmux and unpassworded SGI accounts
Over the past month we have received reports of widespread scans to
TCP port 1. The service assigned to TCP port 1 is tcpmux. For more
information, see RFC#1078, which is available at
ftp://ftp.isi.edu/in-notes/rfc1078.txt
We know that some of the scans originated from sites that had root
compromises. From a site that was used to launch these scans, we
were able to obtain files that indicate that the intruder was
scanning for IRIX machines.
By default, IRIX systems have tcpmux enabled. Once the intruder
found a number of machines with a service running on port 1/tcpmux,
the intruder then used another automated tool to telnet to each of
these machines and attempt to log in as guest, lp, and demos.
We have been in communication with SGI about this issue. At this
time there does not appear to be any vulnerability in the SGI
implementation of tcpmux or any service provided through tcpmux.
IRIX Root Compromises
In addition to the above incidents, we have noticed an increase in
the number of reports of IRIX root compromises over the past
month. We have also received numerous independent reports of
widespread failed login attempts to lp, guest, demos, OutOfBox, and
EZsetup accounts.
IRIX machines ship by default with unpassworded accounts. As of
IRIX 6.3 there is a security tool to easily disable or add
passwords to these accounts at installation time. Please refer to
the following advisories for more information about this issue:
ftp://sgigate.sgi.com/security/19951002-01-Ihttp://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html
We strongly encourage you to ensure that the full set of security
patches for each of your systems is applied. This is a major step
in defending your systems from attack; its importance cannot be
overstated.
We encourage you to check with your vendor regularly for any
updates or new patches that relate to your systems. We also
encourage you to ensure that you are up to date with patches and
workarounds referenced in CERT advisories.
IRIX patches are available from
http://www.sgi.com/Support/security/security.html
If your IRIX machine has unpassworded accounts, then in addition to
disabling (or adding password protection to) accounts which do not
have passwords, we encourage you to inspect your system for signs
of intrusion. For instructions on how to do this, please refer to
the "Recovering from an Incident" web page, available from
http://www.cert.org/nav/recovering.html
3. Root Compromises
We continue to receive daily reports of sites that have suffered a
root compromise. Many of these compromises can be traced to systems
that are unpatched or misconfigured, which the intruders exploit
using well-known vulnerabilities for which CERT advisories have
been published.
We encourage you to check for signs of compromise. The following
documents can help you review your systems:
Intruder Detection Checklist
This document outlines suggested steps for determining if your
system has been compromised.
ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist
Steps for Recovering from a UNIX Root Compromise
This document sets out suggested steps for responding to a
root compromise.
http://www.cert.org/tech_tips/root_compromise.html
UNIX Configuration Guidelines
This document describes common UNIX system configuration
problems that have been exploited by intruders and recommends
practices that can be used to help deter several types of
break-ins.
ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines
List of Security Tools
This document describes tools that can be used to help secure
a system and deter break-ins.
ftp://ftp.cert.org/pub/tech_tips/security_tools
What's New and Updated
- ----------------------
Information about new and updated CERT documents, such as advisories,
is available through the CERT web site at
http://www.cert.org/nav/whatsnew.html
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email [email protected]
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
[email protected]
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available from
http://www.cert.org/ftp://ftp.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff/legal_stuff.html and
ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access,
send mail to [email protected] with "copyright" in the subject line.
* CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNYAnx3VP+x0t4w7BAQH1nQQAiYMz9bJ742vAIJ5wFMZgoa+2LtQdr1lo
ulcin+IFsNPNF4JVqosT06NlVnyWRBZrJ35J4GUktHN8HMXafIT818X59+FAStGE
s4d1QLgL5bg8k0Gb7n/r1pyQoKnhOLmWGEqZFrHfJ2mZOF6zDKG8qHnZJVqpVrnO
riWfaUKp7y4=
=wsY8
-----END PGP SIGNATURE-----
