--------------------------------------------------------------------------- CERT Summary CS-95:03 November 28, 1995 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our incident response staff. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries --------------------------------------------------------------------------- Recent Activity --------------- Since the September CERT Summary, we have seen these continuing trends in incidents reported to us. The majority of reported incidents fit into four categories: 1. Packet Sniffers We continue to see daily incident reports about intruders who have installed sniffers on compromised systems. These sniffers, used to collect account names and passwords, are frequently installed with a kit that includes Trojan horse binaries. The Trojan horse binaries hide the sniffer activity on the systems on which they are installed. For further information and methods for detecting packet sniffers and Trojan horses, see the following files: ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/cert_advisories/CA-94:01.README ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksum ftp://info.cert.org/pub/cert_advisories/CA-94:05.README 2. Exploitation of SGI lp Vulnerability The vulnerability described in CERT advisory, CA:95:15 "SGI lp Vulnerability" continues to be exploited, though we have seen a decline in the number of reports since the advisory was released on November 8. Intruders gain unauthorized access to Silicon Graphics, Inc. (SGI) IRIX systems through a passwordless lp account; they use this initial access to leverage additional privileges on the compromised system. As distributed by SGI, the lp account (as well as other accounts), has no password on a newly installed system. This fact is addressed in the documentation that SGI distributes with their systems: "IRIX Advanced Site and Server Administrative Guide" (see the chapter on System Security). More information on this vulnerability and how it can be addressed can be obtained from ftp://info.cert.org/pub/cert_advisories/CA-95:15.SGI.lp.vul 3. Network Scanning We continue to receive several reports each week of intruders using the Internet Security Scanner (ISS) to scan both individual hosts and large IP address ranges. The ISS tool, which is described in CERT advisory CA-93:14 "Internet Security Scanner", interrogates all computers within a specified IP address range, determining the security posture of each with respect to several common system vulnerabilities. Intruders use the information gathered from such scans to gain unauthorized access to the scanned sites. As part of a defensive strategy, you may want to consider running ISS against your own site (in accordance with your organization's policies and procedures) to identify any possible system weaknesses or vulnerabilities, taking steps to implement security fixes that may be necessary. ISS is available from ftp://info.cert.org/pub/tools/iss/iss13.tar More information about the ISS tool and steps for protecting your site are outlined in the following documents: ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner ftp://info.cert.org/pub/cert_advisories/CA-93:14.README ftp://info.cert.org/pub/tech_tips/security_info ftp://info.cert.org/pub/tech_tips/packet_filtering 4. Sendmail Attacks New reports of intruders attacking sites through sendmail vulnerabilities are continuing to arrive daily, although most reports indicate the attacks have failed. The types of attacks are varied, but most are aimed at gaining privileged access to the victim machine. We encourage sites to combat these threats by taking the appropriate steps, described in the following documents: ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-95:05.README ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:08.README ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul ftp://info.cert.org/pub/cert_advisories/CA-95:11.README What's New in the CERT FTP Archive ---------------------------------- We have made the following changes since the last CERT Summary (September 26, 1995). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-95:12.sun.loadmodule.vul CA-95:13.syslog.vul CA-95:14.Telnetd_Environment_Vulnerability CA-95:15.SGI.lp.vul ftp://info.cert.org/pub/cert_bulletins/ VB-95:07.abell (lsof) VB-95-08.X_Authentication_Vul ftp://info.cert.org/pub/tools/sendmail sendmail/sendmail.8.7.1.tar sendmail/sendmail.8.7.1.tar.Z * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-93:16a.README (sendmail - note to use smrsh with all versions) CA-95:05.README (sendmail - date of Digital Equipment's patch) CA-95:08.README (sendmail - note to use smrsh with all versions) CA-95:10.README (ghostscript - patches and explanations) CA-95:13.README (syslog - information from vendors) CA-95:14.README (telnetd - information from vendors; correction to compilation example) ftp://info.cert.org/pub/tools/cops README (more recent email address for COPS author Dan Farmer) --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the email be encrypted. We can support a shared DES key, PGP, or PEM (contact CERT staff for details). Location of CERT PGP key ftp://info.cert.org/pub/CERT.PGP_key --------------------------------------------------------------------------- Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University.