--------------------------------------------------------------------------- CERT(sm) Summary CS-96.01 January 23, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our strategic incident response staff. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ --------------------------------------------------------------------------- Recent Activity --------------- In the last two months we have seen the same types of activity that we described in the CERT advisory CA-95:18 Widespread Attacks on Internet Sites. If you have not yet taken steps to protect your site against the activities described below, we urge you to do so as soon as possible. Description Intruders are doing the following: - using automated tools to scan sites for NFS and NIS vulnerabilities - exploiting the rpc.ypupdated vulnerability to gain root access - exploiting the loadmodule vulnerability to gain root access - installing Trojan horse programs and packet sniffers - launching IP spoofing attacks Solution The CERT staff urges you to immediately take the steps described in the advisories and README files listed below. Note that it is important to check README files as they contain updated information we received after the advisory was published. a. Using automated tools to scan sites for NFS and NIS vulnerabilities * CA-94:15.NFS.Vulnerabilities * CA-94:15.README * CA-92:13.SunOS.NIS.vulnerability b. Exploiting the rpc.ypupdated vulnerability to gain root access * CA-95:17.rpc.ypupdated.vul * CA-95:17.README c. Exploiting the loadmodule vulnerability to gain root access * CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability * CA-95:12.sun.loadmodule.vul * CA-95:12.README d. Installing Trojan horse programs and packet sniffers * CA-94:01.ongoing.network.monitoring.attacks * CA-94:01.README e. Launching IP spoofing attacks * CA-95:01.IP.spoofing * CA-95:01.README The CERT advisories and README files are available from ftp://info.cert.org/pub/cert_advisories What's New in the CERT FTP Archive ---------------------------------- We have made the following changes since the last CERT Summary (November 28, 1995). * New Additions ftp://info.cert.org/pub/ Sysadmin_Tutorial.announcement (This CERT course will be given four times this year in Pittsburgh, Pennsylvania, USA.) ftp://info.cert.org/pub/cert_advisories/ CA-95:16.wu-ftpd.vul CA-95:17.rpc.ypupdated.vul CA-95:18.widespread.attacks ftp://info.cert.org/pub/cert_bulletins/ VB-95:10.elm VB-95:10a.elm (listed additional FTP sites) * Updated Files ftp://info.cert.org/pub/ cert_faq ftp://info.cert.org/pub/cert_advisories/ CA-95:13.README (syslog - added info from Digital Equipment) CA-95:15.README (SGI lp - added info) CA-95:16.README (wu-ftpd - added clarification and Solaris 2.4 info) CA-95:17.README (rpc.ypupdated - added vendor info for Digital & HP) ftp://info.cert.org/pub/tech_tips/ AUSCERT_checklist1.1 (replaced AUSCERT checklist version 1.0) --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University.