The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


CERT Summary CS-2001-03


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 28 Aug 2001 11:10:06 -0400 (EDT)
From: CERT Advisory <[email protected]>
To: [email protected]
Subject: CERT Summary CS-2001-03


-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-2001-03

   August 28, 2001

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries
          http://www.cert.org/summaries/
   ______________________________________________________________________

Recent Activity

   Since  the  last  regularly scheduled CERT summary, issued in May 2001
   (CS-2001-02),  we have seen several self-propagating worms, as well as
   active  exploitation  of vulnerabilities in Solaris in.lpd, BSD telnet
   daemon  and  Microsoft  IIS by intruders. In addition, we have seen an
   increase in intruder activity directed at home users.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity
          http://www.cert.org/current/current_activity.html


    1. "Code Red" / "Code Red II" worms
       
       On  June 19, 2001, the CERT/CC published CERT Advisory CA-2001-13,
       describing  a vulnerability in Indexing Services used by Microsoft
       IIS  4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta
       versions  of  Windows  XP.  This  vulnerability  allows  a  remote
       intruder to run arbitrary code on the victim machine.

       On  July  19,  2001, the CERT/CC began receiving a large number of
       reports  of  a  worm  commonly  referred  to  as  "Code  Red". The
       widespread,  automated  attack  and propagation characteristics of
       this    worm,    and   its   variants,   have   caused   bandwidth
       denial-of-service conditions in isolated portions of the Internet,
       particularly near groups of compromised hosts. Since that time, we
       have  received  reports of variants, as well as reports of another
       worm with similiar characteristics (Code Red II). These worms have
       affected  at  least  300,000  hosts. The CERT/CC highly encourages
       administrators  of  IIS  servers to review the following documents
       and take appropriate action.

	   CERT Advisory CA-2001-13:
	   Buffer Overflow In IIS Indexing Service DLL
	   http://www.cert.org/advisories/CA-2001-13.html

	   CERT  Advisory  CA-2001-19:
	   "Code  Red"  Worm Exploiting Buffer Overflow in IIS Indexing Service DLL
	   http://www.cert.org/advisories/CA-2001-19.html

	   CERT  Advisory CA-2001-23: 
	   Continuing Threat of the "Code Red" Worm
	   http://www.cert.org/advisories/CA-2001-23html

	   CERT Incident Note IN-2001-08:
	   "Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL
	   http://www.cert.org/incident_notes/IN-2001-08.html

	   CERT  Incident  Note  IN-2001-09:
	   "Code Red II:" Another Worm  Exploiting  Buffer Overflow in IIS Indexing Service DLL
	   http://www.cert.org/incident_notes/IN-2001-09.html

    2. "Code  Red"  Worm  Crashes  IIS  4.0  Servers with URL Redirection
       Enabled
       
       Along  with  the  large  number  of  "Code  Red" and "Code Red II"
       reports  indicating  that systems are compromised, the CERT/CC has
       received  a  smaller yet still significant number of reports where
       Windows NT 4.0 IIS 4.0 systems have been adversely affected by the
       high volume of "Code Red" scanning activity. A recently discovered
       vulnerability  can  cause an IIS 4.0 server (patched against "Code
       Red"  according  to Microsoft Security Bulletin MS01-033) with URL
       redirection enabled to crash when scanned by the "Code Red" worm.

       CERT  Incident  Note  IN-2001-10:
       "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled
       http://www.cert.org/incident_notes/IN-2001-10.html


    3. W32/Sircam Malicious Code
       
       "W32/Sircam"  is  malicious  code  that  spreads through email and
       potentially  through  unprotected Windows network shares. Once the
       malicious  code  has  been  executed on a system, it may reveal or
       delete sensitive information.

       Detailed  information  about  W32/Sircam  can  be  found  in  CERT
       Advisory  CA-2001-22. Users are strongly encouraged to visit their
       anti-virus  vendor's  website  for  information on how to properly
       remove W32/Sircam from an infected computer.

       CERT Advisory CA-2001-22:
       W32/Sircam Malicious Code
       http://www.cert.org/advisories/CA-2001-22.html


    4. Buffer Overflow in telnetd

       The  telnetd  program  is  a  server for the Telnet remote virtual
       terminal protocol. There is a remotely exploitable buffer overflow
       in Telnet daemons derived from BSD source code. This vulnerability
       can crash the server or be leveraged to gain root access.

       CERT Advisory CA-2001-21:
       Buffer Overflow in telnetd
       http://www.cert.org/advisories/CA-2001-21.html


    5. Buffer Overflow in Sun Solaris in.lpd Print Daemon

       A  buffer  overflow  exists  in the Solaris BSD-style line printer
       daemon,  in.lpd,  that  may  allow  a  remote  intruder to execute
       arbitrary code with the privileges of the running daemon.

       CERT  Advisory CA-2001-15:
       Buffer Overflow in Sun Solaris in.lpd Print Daemon
       http://www.cert.org/advisories/CA-2001-15.html


    6. Continuing Threats to Home Users

       The  CERT/CC  has  observed  a  significant  increase  in activity
       resulting in compromises of home user machines. Many home users do
       not  keep  their  machines  up  to  date with security patches and
       workarounds,  do  not  run current anti-virus software, and do not
       exercise  caution  when handling email attachments. Intruders know
       this, and we have seen a marked increase in intruders specifically
       targeting home users who have cable modem and DSL connections.

       The  CERT/CC  strongly  encourages  home users to review the below
       referenced  documents.  These  documents illustrate the threats to
       home  users,  and  outline  countermeasures  that  can  be used to
       mitigate aganist them.

       CERT  Advisory  CA-2001-20:
       Continuing  Threats to Home Users
       http://www.cert.org/advisories/CA-2001-20.html

       CERT Tech Tip: Home Network Security
       http://www.cert.org/tech_tips/home_networks.html


    7. W32/Leaves

       The  CERT/CC  has  received  a  number  of  reports  regarding the
       compromise  of  home user machines running Microsoft Windows. Most
       of  these reports surround the intruder tool SubSeven. SubSeven is
       often  used as a Trojan horse, which allows an intruder to deliver
       and  execute  any custom payload and run arbitrary commands on the
       affected machine.

       CERT  Incident  Note IN-2001-07:
       W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses
       http://www.cert.org/incident_notes/IN-2001-07.html

     _________________________________________________________________

What's New and Updated

   Since the last CERT Summary, we have published new and updated

     * Advisories
       http://www.cert.org/advisories/

     * Congressional Testimony
       http://www.cert.org/congressional_testimony/

     * Incident Notes
       http://www.cert.org/incident_notes/

     * CERT/CC Statistics
       http://www.cert.org/stats/cert_stats.html

     * Tech Tips
       http://www.cert.org/tech_tips/

     * Training Schedule
       http:/www.cert.org/training/

   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/summaries/CS-2001-03.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: [email protected]
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

    Getting security information

   CERT  publications  and  other security information are available from
   our web site

   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to [email protected]. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBO4uyaQYcfu8gsZJZAQFJEgP6A0+vfi/vkpl5YeneQPhyfllaFEtKwQSD
xuGWHF6YUQGEHiQZYnwAFV2gWEkY5OGLWGBSsRESr3kHSpcMPfsOkGvty+lyi5aM
kfRaZkkdlZdNmMYlxwQxq9IrEaWX4rJzrzcdfq9U3TTB4oBJnP4dDRyUIdW3Oe3E
R8vDJQar7EM=
=DR64
-----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру