-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT(sm) Summary CS-96.01
January 23, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
strategic incident response staff. The summary includes pointers to
sources of information for dealing with the problems. We also list new
or updated files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from 
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity 
- --------------- 

In the last two months we have seen the same types of activity that we
described in the CERT advisory CA-95:18 Widespread Attacks on Internet
Sites.  If you have not yet taken steps to protect your site against
the activities described below, we urge you to do so as soon as
possible. 

  Description

     Intruders are doing the following:

        - using automated tools to scan sites for NFS and NIS vulnerabilities 

        - exploiting the rpc.ypupdated vulnerability to gain root access

        - exploiting the loadmodule vulnerability to gain root access

        - installing Trojan horse programs and packet sniffers

        - launching IP spoofing attacks

  Solution

     The CERT staff urges you to immediately take the steps described in
     the advisories referenced below. Note that it is important to 
     periodically recheck these files as they contain updated 
     information received after the advisory was published.
 
     a. Using automated tools to scan sites for NFS and NIS vulnerabilities 

        * CA-94:15.NFS.Vulnerabilities
        * CA-92:13.SunOS.NIS.vulnerability 

     b. Exploiting the rpc.ypupdated vulnerability to gain root access

         * CA-95:17.rpc.ypupdated.vul

     c. Exploiting the loadmodule vulnerability to gain root access

        * CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability
        * CA-95:12.sun.loadmodule.vul

     d. Installing Trojan horse programs and packet sniffers
        * CA-94:01.ongoing.network.monitoring.attacks 
     
     e. Launching IP spoofing attacks

         * CA-95:01.IP.spoofing

      
     The CERT advisories are available from

         ftp://info.cert.org/pub/cert_advisories



What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (November 28,
1995). 

* New Additions

ftp://info.cert.org/pub/

    Sysadmin_Tutorial.announcement (This CERT course will be given
                                    four times this year in Pittsburgh, 
                                    Pennsylvania, USA.)

ftp://info.cert.org/pub/cert_advisories/

    CA-95:16.wu-ftpd.vul
    CA-95:17.rpc.ypupdated.vul
    CA-95:18.widespread.attacks

ftp://info.cert.org/pub/cert_bulletins/

    VB-95:10.elm
    VB-95:10a.elm (listed additional FTP sites)


* Updated Files 

ftp://info.cert.org/pub/

    cert_faq

ftp://info.cert.org/pub/cert_advisories/

    CA-95:13 (syslog - added info from Digital Equipment)
    CA-95:15 (SGI lp - added info)
    CA-95:16 (wu-ftpd - added clarification and Solaris 2.4 info)
    CA-95:17 (rpc.ypupdated - added vendor info for Digital & HP)

ftp://info.cert.org/pub/tech_tips/

    AUSCERT_checklist1.1 (replaced AUSCERT checklist version 1.0)


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to 
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information. 

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhCsXHVP+x0t4w7BAQHfBgQAuo/+ApxplmfDVxE0O6IahjhJmzKO28M8
X4Hx+BtfZycxe3WgT7mHVTN4iIl2n8k4d1PAUJZGdzhYe7kjiH2auiVUEruR9fQC
aREps8J2gn1BWWUijWuVWMQZ8n0IRmeRseJu1Fa17oz93QnKThPD4H31O8+fj6Jh
Pzgs8THUUX4=
=3+Ic
-----END PGP SIGNATURE-----



-----BEGIN PGP SIGNED MESSAGE-----


- ---------------------------------------------------------------------------
CERT(sm) Summary CS-96.02
March 26, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
strategic incident response staff. The summary includes pointers to
sources of information for dealing with the problems. We also list new
or updated files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from 
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity 
- --------------- 

In the two months since the last CERT Summary, we have continued to
receive reports about the same types of activities that were described
in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In
addition, we have seen an increase in the number of reports relating
to software piracy, many of which involve intruders taking advantage
of systems with poorly configured anonymous FTP areas.

If you haven't done so already, the CERT staff urges you to
immediately take the steps described in the advisories listed below.
Note that it is important to periodically recheck these files, as they
can contain updated information that we receive after an advisory is
published.

The majority of the incidents reported to our incident response staff
during the last two months fit into one (or more) of these seven
categories:

1. Root compromise on systems that are unpatched or running old OS versions.

   We receive daily reports of systems that have been compromised by
   intruders who have gained unauthorized access to root or other
   privileged accounts by exploiting widely known security vulnerabilities
   on systems that did not have appropriate patches installed (and/or
   systems that were running old [unpatched] versions of the operating
   system).

   We encourage everyone to check with their vendor(s) regularly for
   updates or new patches that relate to their systems, and install
   security-related patches as soon as they are available.

   For a list of additional suggestions on recovering from a UNIX root
   compromise, see

 ftp://info.cert.org/pub/tech_tips/root_compromise


2. Compromised user-level accounts that are leveraged to gain further access.

   We receive daily reports of compromised accounts that have been used to
   launch attacks against other sites, and/or have been used to gain
   privileged access on vulnerable systems.

   We encourage you to check your systems regularly (in accordance
   with your site policies and guidelines) for any signs of unauthorized
   accesses or suspicious activity.

   For a list of suggestions on how to determine whether your system may
   have been compromised, see

 ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist


3. Packet sniffers and Trojan horse programs

   We continue to receive almost daily incident reports about intruders who
   have installed packet sniffers on root-compromised systems. These
   sniffers, used to collect account names and passwords, are frequently
   installed as part of a widely-available kit that also replaces common
   system files with Trojan horse programs. The Trojan horse binaries
   (du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders'
   files and sniffer activity on the system on which they are installed.

   For further information and methods for detecting packet sniffers and
   Trojan horse binaries, see the following files:

 ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

 ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums


4. IP spoofing attacks

   We continue to receive several reports each week of IP spoofing
   attacks. Intruders attack by using automated tools that are becoming
   widespread on the Internet. Some sites incorrectly believed that they
   were blocking such spoofed packets, and others planned to block them but
   hadn't yet done so.

   For further information on this type of attack and how to prevent it,
   see

 ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing


5. Software piracy

   We receive new reports each week about compromised accounts and/or
   poorly configured anonymous FTP servers that are being used for
   exchanging pirated software. While the compromised accounts should be
   addressed as a separate security issue (see item 2, above), the abuse of
   anonymous FTP areas for software piracy activities can be reduced if the
   anonymous FTP service is correctly configured and administered.

   For related information and guidelines for configuring anonymous FTP,
   see

 ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity


6. Sendmail attacks

   We still receive new reports each week about intruders attempting to
   exploit vulnerabilities in the sendmail program mailer facility.
   Unfortunately, some of these attacks have been successful against sites
   that are running old versions of sendmail and/or are not restricting the
   sendmail program mailer facility. Sendmail's program mailer facility can
   be restricted by using the sendmail restricted shell program (smrsh).

   Information on known sendmail vulnerabilities and the smrsh tool can be
   obtained from

 ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
 ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement

 ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities

 ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability

 ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul

 ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul


   The smrsh program can be obtained from:

 ftp://info.cert.org/pub/tools/smrsh/

   smrsh is also included in the sendmail 8.7.5 distribution.


7. NFS and NIS attacks, and automated tools to scan for vulnerabilities

   We receive weekly reports of intruders using automated tools to scan
   sites for hosts that may be vulnerable to NFS and NIS attacks.
   Intruders are continuing to exploit the rpc.ypupdated vulnerability to
   gain root access, and intruders are still exploiting widely known
   vulnerabilities in NFS to gain root access.

   For related information, see

 ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul

 ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities

 ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability


What's New at the CERT Coordination Center
- ------------------------------------------

The CERT Coordination Center has a new Web site. It includes
information on Internet security and has a link to the CERT FTP
archive.

 http://www.cert.org


What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (January 23,
1996). 

* New Additions

ftp://info.cert.org/pub

     incident_reporting_form v.3    (replaced v.2 with v.3)

ftp://info.cert.org/pub/cert_advisories

     CA-96.01.UDP_service_denial
     CA-96.02.bind
     CA-96.03.kerberos_4_key_server
     CA-96.04.corrupt_info_from_servers
     CA-96.05.java_applet_security_mgr
     CA-96.06.cgi_example_code

ftp://info.cert.org/pub/cert_bulletins

     VB-96.01.splitvt
     VB-96.02.sgi
     VB-96.03.sun
     VB-96.04.bsdi

ftp://info.cert.org/pub/FIRST

     conference.info

ftp://info.cert.org/pub/tech_tips

     root_compromise     

ftp://info.cert.org/pub/tools

     /cpm/*                         (replaced older version with v.1.2)
     /sendmail/sendmail.8.7.5       (replaced older version)
     /tcp_wrappers/tcp_wrappers_7.3 (replaced older version)
     /sendmail/smrsh/*              (replaced older vsersion with v.8.4)

ftp://info.cert.org/pub/vendors

     /sgi/SGI_contact_info


* Updated Files 

ftp://info.cert.org/pub

     cert_faq            (version 10.2)

ftp://info.cert.org/pub/cert_advisories

     CA-94:01     (added info about cpm v.1.2)
     CA-95:13     (added info from sendmail author and Cray; added
                          info from HP and Sun)
     CA-95:14     (added info from NEC Corp and Silicon Graphics)
     CA-95:17     (added info from IBM)
     CA-96.01     (new URL for Argus; added info from Silicon Graphics)
     CA-96.02     (added info from IBM, Solbourne, and Silicon 
                          Graphics)
     CA-96.03     (added new checksums and patch info; added
                          info from Transarc and TGV Software, Inc.)
     CA-96.04     (added info from Silicon Graphics)
     CA-96.05     (added pointer to Netscape 2.01)
     rdist-patch-status  (added pointer to version 6.1.2)

ftp://info.cert.org/pub/vendors

     /hp/HP.contact.info


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center


Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

URLs:   http://www.cert.org/
        ftp://info.cert.org/pub/

To be added to our mailing list for CERT advisories and bulletins, send your
email address to 
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information. 

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.






-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhCtFXVP+x0t4w7BAQGqMwP8Da/27XOhG+hWDqO69XiYxTXFQUrDPkKz
5KaHbMjEKnCj1pu1zt71cNdxCj6zz4fpfRxGqPdORkwLvl7glgWjxtW3bhRJVje3
ytdb8Us0fLwQ+zZnkfgkTJa5MNwCLGwF3ntLpupWH+9yJBZd5taZ+rIleb12tRFb
Jw7H7y2bNjM=
=YDeN
-----END PGP SIGNATURE-----



-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT(sm) Summary CS-96.03
May 22, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/

We have changed the way we sign CERT publications.
Before May 20, 1996, we put our PGP signature in a separate .asc file,
which was available for anonymous FTP.

As of May 20, 1996, the CERT PGP signature is in the document itself.
CS-96.03 (this summary), VB-96.06, and VB-96.07 are signed this way. The first
advisory to be signed this way will be CA-96.10, which has not yet been
released.

In addition, we have removed the .asc files from past publications and
re-signed them in the text.

You can get the CERT public key from PGP Public Key Servers and from
     ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------

Recent Activity
- ---------------

Since the March CERT Summary, we have seen these continuing trends in
incidents reported to us.

1. Password files and cracking

We have seen an increase in incidents in which intruders obtain
password files from sites and then try to compromise accounts by
cracking passwords. Once intruders gain access to a user account, they
attempt to gain root access through a cracked root password or by
exploiting another vulnerability.

These incidents point to the need for system administrators to address
three areas:

        - Protect your password file so an intruder cannot obtain a
          copy of it.

        - Ensure that good passwords are selected so that they cannot
          easily be cracked, or use a technology where passwords
          are not located in the password file.

        - Ensure that you are up to date with security patches and
          workarounds and watch for unusual activity.

To learn more about these problems, see the following file:

ftp://info.cert.org/pub/tech_tips/passwd_file_protection


2. Linux machines

We have seen an increase in break-ins and root compromises of Linux
machines. In some cases, the intruders are installing packet sniffers
on Linux machines. If you are use Linux on your machines,
we recommend that you keep up to date with patches and security
workarounds. We also recommend that you review

ftp://info.cert.org/pub/cert_advisories/CA-94:01.ongoing.network.monitoring.attacks

The advisory describes sniffers, suggests approaches for addressing
the problem, and contains updated information after advisory was
issued.

We also recommend that you monitor the Linux newsgroups and mailing
lists for security patches and workarounds. Additionally, a World Wide
Web page that some sites reference is

http://bach.cis.temple.edu/linux/linux-security

Note that this reference should not be construed as a formal
endorsement of the page or its contents. We are simply including it in
this summary so that our readers are aware of its existence; you may
evaluate it as appropriate to your situation.


3. Machines being probed to find known vulnerabilities

We continue to get reports of machines being probed for known vulnerabilities.
In many cases, these sites did not have up-to-date security patches and the
machines were compromised at the root level.

In some cases, the intruders are using the Internet Security Scanner (ISS).
These intruders frequently use ISS on a large range of IP addresses and then
use the information collected to compromise vulnerable computers.

So that you can determine if your machines are vulnerable to the problems that
ISS examines, you may wish to run ISS against your own site (in accordance
with your organization's policies and procedures). ISS is available from

ftp://info.cert.org/pub/tools/iss/iss13.tar

We also encourage you to take relevant steps discussed in these documents:

ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
ftp://info.cert.org/pub/tech_tips/packet_filtering


4. Mail spoofing and mail bombing

We have seen a large increase in the number of reports concerning
email spoofing, bombing, and spamming. To learn more about dealing
with these issues, see the files:

ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
ftp://info.cert.org/pub/tech_tips/email_spoofing



What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (March 26,
1996).

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-96.07.java_bytecode_verifier
    CA-96.08.pcnfsd
    CA-96.09.rpc.statd

ftp://info.cert.org/pub/cert_bulletins/

    VB-96.05.dec
    VB-96.06.freebsd
    VB-96.07.freebsd

ftp://info.cert.org/pub/tech_tips

    root_compromise
    anonymous_ftp_abuses
    email_bombing_spamming
    email_spoofing
    passwd_file_protection


* Updated Files

ftp://info.cert.org/pub/cert_advisories/

    CA-94:04
    CA-94:09
    CA-95:01 (added a pointer to Argus)
    CA-95:13
    CA-96.02
    CA-96.06 (added info from another response team)
    CA-96.07 (added a pointer to Netscape 2.02)
    CA-96.08 (updated fix info that was in the original Appendix B)
    CA-96.09 (added info from TGV/Cisco, a workaround for SunOS 4.s,
                     and a clarification)
    CA-96.13 (added info from the Santa Cruz Operation)

ftp://info.cert.org/pub/tech_tips

    anonymous_ftp_config (file name changed)

ftp://info.cert.org/pub/tools

    /ValidateHostname (replaced older version of IsValid.c and updated the
                       README)

ftp://info.cert.org/pub/vendors

    /sgi/SGI_contact_info (added URL for SGI Security Web pages)


Keeping Current
- ---------------
Often during the couse of our work, we learn about software upgrades
that fix security problems. In a new section of our FTP archive we
list these upgrades, their sources, and their MD5 checksums.

ftp://info.cert.org/pub/latest_sw_versions/

If you use any of the software listed in this directory, we recommend
that you upgrade to the current versions. Among other changes, these
new versions address security weaknesses present in previous versions.

If you have any questions about the software listed in this directory,
please contact the vendor for more information.


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhCtvnVP+x0t4w7BAQGPxwP+OXm4mGzeNJ5boL2GLh/ba8PaLlW0YE5q
d43gdRhmSuT66PtOwrCG9zqwhuomHbRKTbifS9KVVfWDQaDUtGYEAuEWFL9CT0D4
/qh3RO7TrBiQ2sgZoakOpdXXkc3qjqrj9voMk/N9dPWd8WiVxp3Ujzc26sadxydB
9G8fLVqEYW4=
=DEop
-----END PGP SIGNATURE-----



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------
CERT(sm) Summary CS-96.04
July 23, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------


Increasing Sophistication of Intruder Community Expertise
- ---------------------------------------------------------

In earlier summaries, we noted that the intruder community was
analyzing operating system source code to develop increasingly
sophisticated and effective exploitation techniques. The intruder
community is now developing new techniques to analyze programs for
potential vulnerabilities even in the absence of source code. This can
be done with a tool that traces system calls and subroutine calls
within a program, thus allowing a person to match such calls against
command line parameters.

Although there is little that sites can do in direct response to this
information, it does highlight the importance of staying up to date
with security patches and workarounds for your operating systems and
applications.


Operating System Concerns
- -------------------------

We receive reports relating to incident activity from many different
sites using a wide variety of operating systems. Because of problems
we see that directly relate to operating systems, we felt it
worthwhile to make a few observations about choosing an operating
system. For information on this subject, see

  ftp://info.cert.org/pub/tech_tips/choose_operating_sys


Forged Advisories
- -----------------

Occasionally, we see forged advisories on various newsgroups or other
distribution lists. If you have the Pretty Good Privacy (PGP) program,
you can determine whether or not an advisory is genuine by checking
the PGP signature.

We use PGP to sign all our advisories. To verify that a CERT advisory
is authentic,

  1. Get the CERT public key from

       ftp://info.cert.org/pub/CERT_PGP.key

  2. Verify the authenticity of the document by checking the PGP
     signature. To do this, enter the following command:

       %pgp <filename>

     You should see a message that includes the statement

       Good signature from user "CERT Coordination Center <cert@cert.org>".
       Signature made <date>



Recent Activity and Trends
- --------------------------

Since the May CERT Summary, we have seen these continuing trends in
incidents reported to us.

1. Linux root compromises

At least once a week we see reports of Linux machines that suffer
break-ins leading to root compromises. In many of these incidents, the
systems were misconfigured, and/or the intruders exploited well-known
vulnerabilities (for which CERT advisories have been published); the
intruders then installed Trojan horse programs and/or network
monitoring programs (packet sniffers).

If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We recommend that you also review

  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at

  http://bach.cis.temple.edu/linux/linux-security/


2. Telnetd in Linux systems

We have noticed an increase in the exploitation of a vulnerability in
the telnetd environment on unpatched Linux-based systems. If you have
not patched your system(s) for this vulnerability, we urge you to
review CERT advisory CA-95:14 and install the patch or workaround
provided.

  ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability


3. Password Cracking

We continue to receive daily reports of unauthorized site access as a
result of compromised accounts and/or "cracked" passwords. For
information about protecting your password files, please see

  ftp://info.cert.org/pub/tech_tips/passwd_file_protection


4. Sendmail attacks

Although discussed in previous summaries, we continue to receive
reports each week about intruders who attempt to exploit sendmail
vulnerabilities. We have published several advisories on sendmail. If
you have not addressed the vulnerabilities in sendmail, we urge you to
review these advisories and take appropriate action. All advisories,
including sendmail advisories, can be found at

  ftp://info.cert.org/pub/cert_advisories/

In many of these attempts, intruders are trying to obtain
password files. For information on protecting your password files, see

  ftp://info.cert.org/pub/tech_tips/passwd_file_protection

We have had many questions about when to use the sendmail restricted
shell program (smrsh). You should run smrsh with any UNIX system that
is running sendmail, regardless of vendor or version.

smrsh is now included as part of the current sendmail distribution
(effective with version 8.7.1). We strongly urge you to upgrade to the
latest version of sendmail. See

  ftp://info.cert.org/pub/latest_sw_versions/sendmail


5. cgi-bin vulnerabilities

Since our last summary, we've seen an increase in the number of
reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin
program that relies on escape_shell_cmd() to prevent exploitation of
shell-based library calls may be vulnerable to attack. For more
information about cgi-bin vulnerabilities and patches, please see

  ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

There have been discussions in several public forums about the problem
of general-purpose interpreters being placed in the cgi-bin directory.
If these interpreters are accessible in the cgi-bin directory of a Web
server, then a remote user can execute any command the interpreters
can execute on that server. For more details and patch information,
see

  ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir


6. Mail spamming/spoofing attacks

We receive at least three incidents each week of mail spamming and/or
spoofing attacks. For information on responding to and recovering from such
activity, see

  ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
  ftp://info.cert.org/pub/tech_tips/email_spoofing



What's New in the CERT FTP Archive
- ----------------------------------

We have made the following changes since the last CERT Summary (May 22, 1996).


* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-96.10.nis+_configuration
    CA-96.11.interpreters_in_cgi_bin_dir
    CA-96.12.suidperl_vul
    CA-96.13.dip_vul

ftp://info.cert.org/pub/cert_bulletins/

    VB-96.08.sgi
    VB-96.09.freebsd
    VB-96.10.sco
    VB-96.11.freebsd

ftp://info.cert.org/pub/tech_tips/

    choose_operating_sys                Things to consider when choosing an
                                        operating system for your site

ftp://info.cert.org/pub/tools/

    ifstatus                            Added the ifstatus program

ftp://info.cert.org/pub/vendors/

    sun/sun_bulletin_00135              Added bulletin from Sun
                                        Microsystems, Inc.

    dec/dec-96.0383                     Added bulletin from Digital
                                        Equipment Corporation


* Updated Files

ftp://info.cert.org/pub/cert_advisories/

    CA-95:13                            Added vendor information for Digital
                                        Equipment Corporation and Silicon
                                        Graphics, Inc.

    CA-96.04                            Added information about the next
                                        release of BIND

    CA-96.08                            Added vendor information for Digital
                                        Equipment Corporation, NEC
                                        Corporation, and Data Design Systems,
                                        Inc. Added patch information for
                                        FreeBSD, Inc.

    CA-96.09                            Added vendor information for Digital
                                        Equipment Corporation. Added pointers
                                        to Silicon Graphics, Inc. release notes
                                        and Sun Microsystems, Inc. patches

    CA-96.12                            Added vendor information for FreeBSD,
                                        NEC Corporation, and Digital Equipment
                                        Corporation

ftp://info.cert.org/pub/FIRST/

    first-contacts                      Updated contact information


ftp://info.cert.org/pub/latest_sw_versions/

    bind                                Added pointer to version 4.9.4
    ifstatus                            Added pointer to ifstatus

If you use any of the software listed in this directory, we recommend
that you upgrade to the current versions. Among other changes, these
new versions address security weaknesses present in previous versions.

If you have any questions about the software listed in this directory,
please contact the vendor for more information.


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhCusnVP+x0t4w7BAQF2YAQAzS5ioLEfcEmbAkqldMFuIK22VhyDHF1j
2oDoYNEoXVbxvCG4P2hsQBfLY7gYPDBcQmAtQENre4KgewCChhvcwOLYtHHXWH/j
kwNZbmU4ymPFB4VpJ8VuMDvkWXid7loNbYGaxohUsp3tMM8LubmeAMYgFtt5ot2y
wZR8k/9jwzo=
=BZOQ
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNED MESSAGE-----

CERT(sm) Summary CS-96.05
September 24, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------


Clarification to CS-96.04
- -------------------------

In our previous CERT Summary, we said that the intruder community is
developing new techniques and tools to analyze programs for potential
vulnerabilities even in the absence of source code. We did not mean to imply
that all developers of these techniques in the wider technical community are
members of the intruder community, nor that they intend their work to be used
by the intruder community.


Recent Activity and Trends
- --------------------------

Since the July CERT Summary, we have noticed these trends in incidents
reported to us.

1. Denial of Service Attacks

Instructions for executing denial-of-service attacks and programs to
implement such attacks have recently been widely distributed. Since
this information was published, we have noticed a significant and
rapid increase in the number of denial-of-service attacks executed
against sites.

To learn more about denial-of-service attacks and how to limit them,
see

  ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding

To monitor and log an attack, you can use a tool such as Argus. For
more information regarding Argus, see

  ftp://info.cert.org/pub/tech_tips/security_tools


2. Continuing Linux Exploitations

We continue to see incidents in which Linux machines are the victims
of break-ins leading to root compromises. In many of these incidents,
the systems were misconfigured and/or the intruders exploited
well-known vulnerabilities for which CERT advisories have been
published.

If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We also recommend that you review

  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
  ftp://info.cert.org/pub/tech_tips/root_compromise

Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at

  http://bach.cis.temple.edu/linux/linux-security/


3. PHF Exploits

At least weekly, and often daily, we see reports of password files
being obtained illegally by intruders who have exploited a
vulnerability in the PHF cgi-bin script. The script is installed by
default with several implementations of httpd servers, and it contains
a weakness that allows intruders to retrieve the password file for the
machine running the httpd server. The vulnerability is described in

  ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

Once the intruders retrieve the password file, they may attempt to
crack the passwords found in the file. For information about
protecting your password files, please see

  ftp://info.cert.org/pub/tech_tips/passwd_file_protection


4. Software Piracy

We have received frequent reports regarding software piracy since the
last CERT Summary was issued. Although software piracy is beyond the
scope of the mission of the CERT Coordination Center, it is often
associated with compromised hosts or accounts because intruders
sometimes use compromised hosts to distribute pirated software. News
of illegal collections of software circulates quickly within the
underground community, which may focus unwanted attention on a site
used for software piracy.

We encourage you to periodically check your systems for signs of
software piracy. To learn more, please examine our relevant tech tips:

  ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses
  ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config

To learn more about detecting and preventing security breaches, please see

  ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist



- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (July 23,
1996).

* README Files Incorporated into Advisories

As of August 30, 1996, we no longer put advisory updates into README files. We
now revise the advisories themselves. In addition, we have updated past
advisories with information from their README files. We urge you to check
advisories regularly for updates that relate to your site.

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-96.14.rdist_vul
    CA-96.15.Solaris_KCMS_vul
    CA-96.16.Solaris_admintool_vul
    CA-96.17.Solaris_vold_vul
    CA-96.18.fm_fls
    CA-96.19.expreserve
    CA-96.20.sendmail_vul
    CA-96.21.tcp_syn_flooding

ftp://info.cert.org/pub/cert_bulletins/

    VB-96.12.freebsd
    VB-96.13.hp
    VB-96.14.sgi
    VB-96.15.sco
    VB-96.16.transarc

ftp://info.cert.org/pub/latest_sw_versions

    swatch

ftp://info.cert.org/pub/tech_tips

    UNIX_configuration_guidelines       These replace the security_info file
    intruder_detection_checklist        (the CERT Security Checklist).
    security_tools

ftp://info.cert.org/pub/vendors/

    hp/HPSBUX9607-033                   Added Hewlett-Packard bulletin about a
                                        security vulnerability in expreserve.



* Updated Files

ftp://info.cert.org/pub/cert_advisories/

    CA-96.02.bind                       In the appendix, updated Sun
                                        Microsystems, Inc. patch information.
                                        In section I, added information about
                                        the next release of bind and the
                                        IsValid program.

    CA-96.08.pcnfsd                     Updated URL for IBM Corporation,
                                        updated Hewlett-Packard Company patch
                                        information, and modified NEC
                                        Corporation patch information.

    CA-96.09.rpc.statd                  Updated URL for IBM Corporation,
                                        removed a workaround for SunOS 4.x
                                        (patches now available), updated
                                        information on Hewlett-Packard
                                        Company, and added patch information
                                        for NEC Corporation. Also updated
                                        opening paragraph.

    CA-96.14.rdist_vul                  In Appendix A, added note under
                                        Silicon Graphics, Inc. about using the
                                        find command, updated the
                                        Hewlett-Packard Company entry, added
                                        information about Digital Equipment
                                        Corporation, and added an IBM
                                        Corporation URL.

    CA-96.15.Solaris_KCMS_vul           In Introduction, added information
                                        about Solaris 2.5.1.

    CA-96.18.fm_fls                     Added vendor information to Appendix A.
                                        Added Section III.B, which provides
                                        another possible solution to the
                                        problem.

    CA-96.19.expreserve                 In Appendix A, added information for
                                        Silicon Graphics Inc. and Sun
                                        Microsystems, Inc.

    CA-96.20.sendmail_vul               Added to Sec. III.B instructions on
                                        configuring sendmail at sites that use
                                        '&' in the gecos filed of /etc/passwd.
                                        Added to Sec. III.C a note on uid for
                                        "mailnull" user. In the appendix, added
                                        information from FreeBSD, Inc. and
                                        Berkeley Software Design, Inc. (BSDI).

ftp://info.cert.org/pub/FIRST

    first-contacts

ftp://info.cert.org/pub/latest_sw_versions

    rdist-patch-status                  Updated information for
                                        Hewlett-Packard Company and NeXT
                                        Software, Inc. information. Updated
                                        rdist version information in
                                        Section II.G.
    sendmail


ftp://info.cert.org/pub/tech_tips

    root_compromise



- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMkhCfHVP+x0t4w7BAQFR5gQAtYvbKLJAbTzfRizblM9mbl/4oLfnsqdQ
HcX8KKDNAtVd2DWKGEsq7U7v9w8KyzDtVpRFba8VSsVmpzixzxnbZSifwyfkcuX9
x2xbQ1SVWBjep399HkbYtS0Y3C0RdCo9p/uxdB5/GkZqD3NMdPoBvFf+j/H6376w
tDcheNKNobk=
=DZgd
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNED MESSAGE-----

CERT(sm) Summary CS-96.6
November  26, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ----------------------------------------------------------------------------


Recent Activity
- ---------------

Since the September CERT Summary, we have noticed these continuing trends
in incidents reported to us.

1. cgi-bin/phf Exploits

We continue to see frequent reports of attempts to exploit the vulnerability
in the CGI example program "phf".  The phf program, which is installed by
default with several implementations of httpd servers, contains a weakness
that can allow intruders to execute arbitrary commands on the server.  The
most common attack involves an attempt to retrieve the httpd server's
/etc/passwd file, and sample scripts for exploiting this vulnerability in phf
have been widely posted on the Internet.

While we are encouraged to see that the majority of the recently reported
attacks have failed (because the attacked sites had already removed the phf
program), the steady reports of continuing attacks indicate that these phf
exploits are still being widely attempted.

For more information about this vulnerability, see

  ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

For related information about protecting your password files, please see

  ftp://info.cert.org/pub/tech_tips/passwd_file_protection


2. Continuing Linux Exploits

We continue to see incidents in which Linux machines have been the victims
of root compromises. In many of these incidents, the compromised systems
were unpatched or misconfigured, and the intruders exploited well-known
vulnerabilities for which CERT advisories have been published.

If you are running Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root compromised,
we also recommend that you review

  ftp://info.cert.org/pub/tech_tips/root_compromise

Further, you may want to monitor the Linux newsgroups and mailing lists for
security patches and workarounds. More information can be found at

  http://bach.cis.temple.edu/linux/linux-security/


- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (September 24,
1996).

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-96.22.bash_vuls                  Addresses two problems with the GNU
                                        Project's Bourne Again SHell (bash):
                                        one in yy_string_get() and one in
                                        yy_readline_get().

    CA-96.23.workman_vul                Describes a vulnerability in the
                                        WorkMan compact disc-playing program
                                        that affects UNIX System V Release 4.0
                                        and derivatives and Linux systems.

    CA-96.24.sendmail.daemon.mode       Addresses a vulnerability that allows
                                        intruders to gain root
                                        privileges. Includes patch and upgrade
                                        information.



ftp://info.cert.org/pub/cert_bulletins/

    VB-96.17.linux                      Linux Security FAQ Update from
                                        Alexander Yuriev. Includes information
                                        about a mount/umount vulnerability.

    VB-96.18.sun                        Addresses vulnerabilities in the libc
                                        and libnsl libraries of Solaris 2.5
                                        (SunOS 5.5) and Solaris 2.5.1
                                        (SunOS 5.5.1) from Sun Microsystems,
                                        Inc. Includes patch information.


ftp://info.cert.org/pub/latest_sw_versions/

    bash                                Added information on bash 1.14.7.

    sendmail                            Added information on sendmail 8.8.3.



* Updated Files

ftp://info.cert.org/pub/

    Sysadmin_Tutorial.announcement      Added date of next course offering.


ftp://info.cert.org/pub/cert_advisories/

    CA-94:01.ongoing.network.monitoring.attacks
                                        Clarified introductory
                                        information. Added a pointer to the
                                        CERT tech tip on root compromises.

    CA-95:02.binmail.vulnerabilities    Removed Appendices B & C, which
                                        contained outdated information. In
                                        section B, added information that
                                        mail.local is now part of
                                        sendmail. Added a pointer to sendmail.

    CA-96.09.rpc.statd                  Updated information from Silicon
                                        Graphics Inc.

    CA-96.20.sendmail_vul               Added a pointer to CA-96.24.

    CA-96.21.tcp_syn_flooding           Revised second paragraph of
                                        introduction for clarity. Added new
                                        information for Silicon Graphics
                                        Inc. (SGI), Berkeley Software Design,
                                        Inc. (BSDI), Sun Microsystems, Inc.
                                        Revised appendix information on
                                        reserved private network
                                        numbers. Added pointer to information
                                        in ftp://info.cert.org/pub/vendors.

    CA-96.22.bash_vuls                  Added Appendix A containing
                                        information from IBM Corporation,
                                        LINUX, and Silicon Graphics,
                                        Inc. (SGI). Removed patch for problem
                                        in yy_readline_get, as the problem
                                        described for yy_string_get is not
                                        exploitable for yy_readline_get.


ftp://info.cert.org/pub/tools/mail.local/

    README                              Added information that mail.local is
                                        now a part of sendmail. Added a
                                        pointer to sendmail.


ftp://info.cert.org/pub/tools/sendmail/

    sendmail.8.8.3.patch
    sendmail.8.8.3.tar.Z
    sendmail.8.8.3.tar.gz
    sendmail.8.8.3.tar.sig


ftp://info.cert.org/pub/vendors/hp/

    HP.contact_info                     Replaced instructions for subscribing
                                        by email with the new URLs people must
                                        use.


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMpoitXVP+x0t4w7BAQEp1gP/XK7WsKsoplL4F9YdMi9CyHCd/H1Qh3Nm
oyJDD9O19EPsCjeuFgBX5bGWb26L1MeuuCyEhV/5Z9Vf2R9wrPcOq3l+UeVjV/0t
SDwp/Y2R4uP+hdCzkDKk5Ryuzoxq3xj4TD0GNv8XRShQbUR2u05zFbzbyiH+ONh8
C7E1HKBP03M=
=nrOY
-----END PGP SIGNATURE-----
