-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT Summary CS-95:01
July 26, 1995

As part of our ongoing efforts to disseminate timely information about
Internet security issues, the CERT Coordination Center is pleased to announce
the CERT Summary.  CERT Summary will be distributed periodically to call
attention to the types of attacks currently being reported to the CERT
Coordination Center.  The summary will include pointers to sources of
information for dealing with the problems.

- ---------------------------------------------------------------------------

Recent Activity

The majority of incidents reported to the CERT Coordination Center in
recent weeks fall into three categories:

1.  IP Spoofing:  We have seen a surge in IP spoofing.  In recent weeks, we
    have received more than 170 reports of IP spoofing attacks or probes, many
    of them resulting in a successful break in.  Several sites believed
    incorrectly that they were blocking such packets.  Others planned to block
    them but hadn't yet done so.

    We urge you to take the time to review CERT Advisory CA-95:01, "IP
    Spoofing Attacks and Hijacked Terminal Connections," which has
    details on this type of attack and how to prevent it. Vulnerability
    to IP spoofing attacks is NOT limited to any specific router or OS vendor.
    This advisory is available from

          ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing

2.  Packet Sniffers:  We receive new reports daily that describe sniffers
    installed on compromised hosts.  These sniffers, which are used to collect
    account names and passwords, are frequently installed using a kit.
    Further information on packet sniffers is available from

  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

    Once root is compromised on a system, the sniffer kit can be activated
    to collect account names and passwords.  Note that even if sniffing
    capabilities are disabled by recompiling and rebooting the kernel, we
    have received reports of intruders re-enabling these capabilities by
    recompiling and rebooting systems.  Pay particular attention to every
    system reboot.

    In the attacks that we have seen, intruders frequently install (as root)
    Trojan horse system software that is available with the sniffer kit.
    Further information on the Trojan horses that we have seen is available
    from

          ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums

3.  NFS Attacks:  We have seen a large increase in the number of attacks
    and probes against weaknesses within NFS. Again, many of these are
    successful.  Programs to automate such attacks have become widespread.

    Please review CERT Advisory CA-94:15, "NFS Vulnerabilities,"
    available in

          ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities

    A successful attack usually results in the intruders gaining root access.
    Intruders have been targeting machines with vendor-licensed source code.
    They appear to be in search of the code for system software with the view
    to creating and installing copies containing Trojan horses on compromised
    systems.  If you manage systems that contain vendor-licensed source code,
    pay particular attention to the "Security Measures" section of the
    advisory.

- -------------------------
New Trojan Horse Programs

    Once root has been compromised on a system, we are finding new Trojan
    horses installed in the inetd and in.rexecd daemons.  These Trojan horses
    allow an intruder to gain access at a later time, bypassing most firewall
    and TCP wrapper configurations.  Do not rely on checksums determined by
    the sum(1) program because intruders are creating files whose
    checksums match those of the vendor-distributed versions.  Do not rely
    on time stamps of these files either because intruders are setting
    these to previous values as well.

    We recommend that you use a known clean version of cmp(1) to make a direct
    comparison of the binaries and the appropriate distribution media.

    Alternatively, you can check the MD5 results on suspect binaries against
    a list of MD5 checksums from known good binaries.  Ask your vendor to make
    MD5 checksums available for their distribution binaries.  You can also
    consult the following for some additional information on MD5:

          ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums

   In addition, tools such as Tripwire can archive MD5 checksums of known good
   binaries when used immediately after a system installation.  If you use
   Tripwire, you should regularly maintain the checksums on removable or
   read-only media.  For more details on Tripwire and MD5, please see:

          ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist

    We are also seeing Trojan horses introduced into shared object libraries.
    Examples are /usr/lib/libc.so.* and /usr/kvm/libkvm.so.* on
    SunOS-based machines.  Although we have only received reports of
    SunOS-based machines being altered, the techniques used by intruders are
    applicable to other systems that use shared object libraries.  These
    libraries are being modified so that the presence of certain directories
    and processes cannot be detected with vendor-provided programs or public
    domain programs built to use shared object libraries.  This means that ANY
    program using these shared libraries will act in the manner described by
    the intruder without the intruder necessarily having to modify the program
    itself.

    The Trojan horse daemons previously described typically become "invisible"
    to programs such as ps once the kvm shared object library has been
    modified.  Similarly, the directories used by intruders for building
    these daemons are "invisible" once the libc shared object library
    has been modified.  Again, do not rely on checksums using sum(1) or time
    stamps to detect altered files.  Use a known clean version of cmp(1) or a
    strong checksum technique such as MD5 to verify your files against the
    appropriate distribution.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet e-mail: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890
                 USA

CERT advisories and bulletins are posted on the USENET news group
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send
mail to cert-advisory-request@cert.org.

Past CERT publications, information about FIRST representatives,
and other information related to computer security are available by
anonymous FTP from info.cert.org.

- ---------------------------------------------------------------------------

Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and the copyright statement
is included.

CERT is a service mark of Carnegie Mellon University.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhCoTHVP+x0t4w7BAQF7BgP9EcV6BBuZuqgauwcceQH6/xNNYU0tv5v6
SOyZ8plPjdDRNLTObsepEvnnl3XnsYr0DuuQGjCqpLEP7JP1clNIIgiJ+aL7a1UD
T99WUtj2TRmUhs27MAWLZi1C7XVboaZp+9Dn9uReHnk9cX6SlYJZF4SOcZVOOjS9
83kBdrh/HMw=
=FzmU
-----END PGP SIGNATURE-----



-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT Summary CS-95:02
September 26, 1995

The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response staff. The summary includes pointers to sources of information for
dealing with the problems. Starting with this summary, we will also list new
or updated files that are available for anonymous FTP from ftp://info.cert.org

Past CERT Summaries are available from 
     ftp://info.cert.org/pub/cert_summaries
- ---------------------------------------------------------------------------

Recent Activity
- ---------------
Since the July CERT Summary, we have seen these continuing trends in incidents
reported to us:

1. Sendmail Attacks

We receive several reports each week of attacks through sendmail, with
intruders using a variety of techniques. Most of the attacks are aimed at
gaining privileged access to the victim machine.

To combat these threats, we encourage sites to take the appropriate steps
outlined in the following:

  ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul

  ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability

A number of sites have reported some confusion on the need to continue using
the sendmail restricted shell program (smrsh). You need to run the smrsh tool
in conjunction with the most recently patched version of sendmail for your
system.

Information on the smrsh tool can be obtained from these places in
  ftp://info.cert.org/pub/

                   tools/sendmail/smrsh/
                   cert_advisories/CA-93:16.sendmail.vulnerability
                   cert_advisories/CA-93:16a.sendmail.vulnerability.supplement
                   cert_advisories/CA-95:11.sun.sendmail-oR.vul


The smrsh program can be obtained from

  ftp://info.cert.org/pub/tools/smrsh/

It is included in the sendmail 8.7 distribution.


2. Network Scanning

Several incidents have recently been reported in which intruders scan a large
address range using the Internet Security Scanner (ISS). As described in CERT
advisory CA-93:14, this tool interrogates all computers within a specified IP
address range, determining the security posture of each with respect to
several common system vulnerabilities.

Intruders have used the information gathered from these scans to compromise
sites. We are aware of many systems that have suffered a root compromise as a
result of information intruders obtained from ISS scans.

You may wish to run ISS against your own site in accordance with your
organization's policies and procedures. ISS is available from

  ftp://info.cert.org/pub/tools/iss/iss13.tar

We encourage you to take relevant steps outlined in these documents:

  ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
  ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
  ftp://info.cert.org/pub/tech_tips/packet_filtering


3. Exploitation of rlogin and rsh

We have received some reports about the continued exploitation of a
vulnerability in rlogin and rsh affecting IBM AIX 3 systems and Linux systems.
This is not a new vulnerability, but it continues to exist. Sites have
reported encountering some Linux distributions that contain this
vulnerability.

Information on this vulnerability and available solutions can be
obtained from

  ftp://info.cert.org/pub/cert_advisories/CA-94:09.bin.login.vulnerability


4. Packet Sniffers

We continue to receive new incident reports daily about sniffers on
compromised hosts. These sniffers, used to collect account names and
passwords, are frequently installed using a kit. In some cases, the packet
sniffer was found to have been running for months. Occasionally, sites had
been explicitly warned of the possibility of such a compromise, but the
sniffer activity continued because the site did not address the problem in the
comprehensive manner that we suggest in our security documents.

Further information on packet sniffers is available from

  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

Information about detecting sniffers using cpm is included in the advisory.


What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since June 1, 1995.

* New Additions:

ftp://info.cert.org/pub/

    incident.reporting.form (the form you should fill out when
                             reporting an incident to our staff)

ftp://info.cert.org/pub/cert_advisories/

    CA-95:08.sendmail.v.5.vulnerability
    CA-95:09.Solaris.ps.vul
    CA-95:10.ghostscript
    CA-95:11.sun.sendmail-oR.vul

ftp://info.cert.org/pub/cert_bulletins/

    VB-95:05.osf    (OSF/DCE security hole)
    VB-95:06.cisco  (vulnerability in Cisco's IOS software)

ftp://info.cert.org/pub/tech_tips/

    AUSCERT_checklist_1.0 (UNIX checklist developed by the Australian
                           Emergency Response Team) 

* Updated Files 

ftp://info.cert.org/pub/cert_advisories/


  CA-93:14 (Internet Security Scanner)
  CA-94:01 (network monitoring)
  CA-94:02 (SunOS rpc mountd vulnerability)
  CA-94:05 (md5)
  CA-94:11 (majordomo) 
  CA-95:01 (IP spoofing and hijacked terminal connections) 
  CA-95:02 (binmail vulnerabilities)
  CA-95:05 (sendmail - several vulnerabilities)
  CA-95:08 (sendmail version 5 and IDA sendmail) 
  CA-95:09 (Solaris ps)
  CA-95:11 (Sun sendmail -oR vulnerability) 

We have begun adding a note reminding readers to check with vendors
for current checksum values. After we publish checksums in advisories,
files and checksums are sometimes updated at individual locations.

* Other Changes:

As we will no longer be keeping the lsof directory current, the directory and
its files have been removed from our FTP site. The current version of lsof is
available from

  ftp://vic.cc.purdue.edu/pub/tools/unix/lsof

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories 
and bulletins, send your email address to

        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group

         comp.security.announce

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the email be encrypted.  
We can support a shared DES key, PGP, or PEM (contact CERT staff for details).

Location of CERT PGP key

         ftp://info.cert.org/pub/CERT.PGP_key

- ---------------------------------------------------------------------------
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhCqx3VP+x0t4w7BAQHSxgP/Qo1eIkenmJLR/vx55MgZdLgIWExssdUT
GGtgM9ho3W8wVJh44NGaPh5dvjmox6DcWlmAkQpyK4Vo0yZVe2a+rMQoHh+4D5pP
lMFPzx9Bhp8P5kPmIuIjLcjJE3fHYDNoRMrlugdYiJUaT/HL6tu2kPPOEHQaOPJF
6qS1qimE1Bw=
=M5N8
-----END PGP SIGNATURE-----



-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT Summary CS-95:03
November 28, 1995

The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response staff. The summary includes pointers to sources of information for
dealing with the problems. We also list new or updated files that are
available for anonymous FTP from ftp://info.cert.org

Past CERT Summaries are available from 
     ftp://info.cert.org/pub/cert_summaries
- ---------------------------------------------------------------------------

Recent Activity 
- --------------- 

Since the September CERT Summary, we have seen these continuing trends in
incidents reported to us. The majority of reported incidents fit into four
categories:

1. Packet Sniffers

We continue to see daily incident reports about intruders who have installed
sniffers on compromised systems. These sniffers, used to collect account names
and passwords, are frequently installed with a kit that includes Trojan horse
binaries. The Trojan horse binaries hide the sniffer activity on the systems
on which they are installed.

For further information and methods for detecting packet sniffers and Trojan
horses, see the following files:

  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
  ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksum


2. Exploitation of SGI lp Vulnerability 

The vulnerability described in CERT advisory, CA:95:15 "SGI lp Vulnerability"
continues to be exploited, though we have seen a decline in the number of
reports since the advisory was released on November 8. Intruders gain
unauthorized access to Silicon Graphics, Inc. (SGI) IRIX systems through a
passwordless lp account; they use this initial access to leverage additional
privileges on the compromised system.

As distributed by SGI, the lp account (as well as other accounts), has no
password on a newly installed system. This fact is addressed in the
documentation that SGI distributes with their systems: "IRIX Advanced Site 
and Server Administrative Guide" (see the chapter on System Security).
More information on this vulnerability and how it can be addressed can be
obtained from

  ftp://info.cert.org/pub/cert_advisories/CA-95:15.SGI.lp.vul


3. Network Scanning

We continue to receive several reports each week of intruders using the
Internet Security Scanner (ISS) to scan both individual hosts and large IP
address ranges. The ISS tool, which is described in CERT advisory CA-93:14
"Internet Security Scanner", interrogates all computers within a specified
IP address range, determining the security posture of each with respect to
several common system vulnerabilities. Intruders use the information
gathered from such scans to gain unauthorized access to the scanned sites.

As part of a defensive strategy, you may want to consider running ISS against
your own site (in accordance with your organization's policies and procedures)
to identify any possible system weaknesses or vulnerabilities, taking steps to
implement security fixes that may be necessary. ISS is available from

  ftp://info.cert.org/pub/tools/iss/iss13.tar

More information about the ISS tool and steps for protecting your site are 
outlined in the following documents:

  ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
  ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
  ftp://info.cert.org/pub/tech_tips/packet_filtering


4. Sendmail Attacks

New reports of intruders attacking sites through sendmail vulnerabilities are
continuing to arrive daily, although most reports indicate the attacks have
failed. The types of attacks are varied, but most are aimed at gaining
privileged access to the victim machine.

We encourage sites to combat these threats by taking the appropriate steps,
described in the following documents:

  ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
  ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
  ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul

What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (September 26,
1995). 

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-95:12.sun.loadmodule.vul
    CA-95:13.syslog.vul
    CA-95:14.Telnetd_Environment_Vulnerability
    CA-95:15.SGI.lp.vul

ftp://info.cert.org/pub/cert_bulletins/

    VB-95:07.abell (lsof)
    VB-95-08.X_Authentication_Vul

ftp://info.cert.org/pub/tools/sendmail

    sendmail/sendmail.8.7.1.tar 
    sendmail/sendmail.8.7.1.tar.Z


* Updated Files 

ftp://info.cert.org/pub/cert_advisories/

    CA-93:16a (sendmail - note to use smrsh with all versions)
    CA-95:05 (sendmail - date of Digital Equipment's patch)
    CA-95:08 (sendmail - note to use smrsh with all versions)
    CA-95:10 (ghostscript - patches and explanations)
    CA-95:13 (syslog - information from vendors)
    CA-95:14 (telnetd - information from vendors; correction to
                     compilation example)

ftp://info.cert.org/pub/tools/cops
    README (more recent email address for COPS author Dan Farmer)


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories 
and bulletins, send your email address to

        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group

         comp.security.announce

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the email be encrypted.  
We can support a shared DES key, PGP, or PEM (contact CERT staff for details).

Location of CERT PGP key

         ftp://info.cert.org/pub/CERT.PGP_key

- ---------------------------------------------------------------------------
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhCrZnVP+x0t4w7BAQGTsgP6A+QyYJuzdqS3wIUwBR34lQ0OFmDd3PV/
9wO5X8o2zxbACFo8Ps9jc9gSwhs3J/uEIYhbr5vPOHwq9Rpkk7C2sTYQn9r8FN3H
TywMkt3QSwncSYp5LdgHiR3J230iWtgIBaePIsjVGp2b6RRPjSDrmrudIz8ncOup
JfhrIvC7NUw=
=xGeL
-----END PGP SIGNATURE-----
