CERT/CC Current Activity -----Original Message----- From: Jeffrey Letourneau [mailto:[log in to unmask]] Sent: Tuesday, September 18, 2001 12:50 PM To: [log in to unmask]; [log in to unmask] Subject: CERT-CC Current Activity.htm -------------------------------------------------------------------------------- Options Advisories Vulnerability Notes Database Incident Notes Current Activity Related Summaries Tech Tips AirCERT Employment Opportunities more links CERT Statistics Vulnerability Disclosure Policy CERT Knowledgebase System Administrator courses CSIRT courses Other Sources of Security Information Channels Message Welcome to the new Incidents, Quick Fixes, and Vulnerabilities area of the CERT/CC web site. Related Sites CERT/CC Current Activity The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. Last Reviewed: Tue Sep 18 10:20:45 EDT 2001 Date Added Last Updated a.. Increase in Port 80 (HTTP) scanning activity 18 September 2001 18 September 2001 a.. Computer virus alert hoax 13 September 2001 13 September 2001 a.. W32/SirCam Malicious Code 23 July 2001 17 August 2001 a.. Cache Corruption on Microsoft DNS Servers 31 August 2001 31 August 2001 a.. "Code Red" Related Activity 2 August 2001 7 September 2001 a.. Exploitation of a buffer overflow in telnetd 30 July 2001 17 August 2001 a.. Scans and Probes - 17 August 2001 -------------------------------------------------------------------------- Increase in Port 80 (HTTP) scanning activity This morning (September 18th) the CERT/CC started receiving reports of a massive increase in scanning directed at port 80 (HTTP). Reports indicate that this scanning activity is attempting to exploit systems previously compromised by Code Red II and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft Internet Information Server (IIS). Please see CERT Vulnerability Note VU#111677 for information on the type of vulnerability being exploited. The following is a log excerpt of this scanning activity: GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir The CERT/CC has also received reports of a possibly new piece of malicious code named "readme.exe" being sent via email. Preliminary analysis indicates that this file may be related to the increase in port 80 scanning activity. Sites are encouraged to verify the state of security patches on all IIS servers and email client software. Administrators may also want to add filters to mail servers to block the "readme.exe" attachment. In addition, sites may wish to notify users of the existence of "readme.exe" and its potential threat. -------------------------------------------------------------------------- Computer virus alert hoax The CERT/CC has received several reports of an email in circulation on the Internet claiming that we have made an announcement regarding a new wave of computer viruses following the attacks in New York and Washington. We have no evidence to support this statement and no such announcement has been made by the CERT/CC. At this time we have not seen any significant increase in security incidents. Regardless of any specific threat, we continue to encourage users to exercise safe email practices including caution when handling email attachments. The CERT/CC takes great care to make sure that the information we publish is accurate and verifiable. Similarly, we encourage all users to verify any statements that may be attributed to us. All announcements to the CERT Advisory mailing list are cryptographically signed for verification purposes. Any CERT announcements would also be published on our web site (most often on our Current Activity page). -------------------------------------------------------------------------- W32/SirCam Virus The CERT/CC continues to receive a large number of reports of a piece of malicious code known as W32/SirCam. W32/SirCam arrives in email with the following characteristics: Subject: (same as the name of the attached file) Body of English version: (first line) Hi! How are you? (last line) See you later. Thanks Body of Spanish version: (first line) Hola como estas? (last line) Nos vemos pronto, gracias. Attachment: A random filename with a double extension (like example.doc.bat) Detailed information about W32/SirCam can be found in CERT Advisory CA-2001-22 or by visiting the sites listed on our Computer Virus Resources page. Users are strongly encouraged to visit their anti-virus vendor's website for information on how to properly remove W32/SirCam from an infected computer. -------------------------------------------------------------------------- Cache Corruption on Microsoft DNS Servers The CERT/CC has received reports from sites experiencing DNS cache corruption on systems running Microsoft DNS Server. The default configuration of this software allows for data from malicious or incorrectly configured DNS servers to be cached and supplied to client computers using that cache to resolve DNS information. Please see: a.. CERT Incident Note IN-2001-11 -------------------------------------------------------------------------- "Code Red" Related Activity a.. "Code Green" Worm The CERT/CC has started receiving reports of a new worm known as "Code Green". The "Code Green" worm is designed to patch systems vulnerable to the "Code Red" worms and attempt to remove backdoors left by "Code Red II". "Code Green" will leave the following signature in web server logs (the presence of this log entry does not necessarily indicate an infection): "GET /default.ida?Code_Green_<I_like_the_colour -_-><AntiCodeRed-CodeRedIII-IDQ_Patcher>_V1.0_b eta_written_by_'Der_HexXer'-Wuerzburg_Germany-_ is_dedicated_to_my_sisterli_'Doro'.Save_Whale_a nd_visit_<www.buhaboard.de>_and_<www.buha-secur ity.de>%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8 190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u 00=a HTTP/1.0" b.. "Code Red II" Worm The CERT/CC continues to receive reports of a worm commonly referred to as "Code Red II". The widespread, automated attack and propagation characteristics of "Code Red II" have caused bandwidth denial-of-service conditions in isolated portions of the Internet, particularly near groups of compromised hosts where "Code Red II" is running. Detailed information about the "Code Red II" worm can be found in: a.. CERT Incident Note IN-2001-09 c.. "Code Red" Worm We also continue to receive reports of the original "Code Red" worm. Machines infected by this worm started scanning the Internet for vulnerable servers again on September 1st 2001. Please see these documents for more information: a.. A Very Real and Present Threat to the Internet: Resurgence in Code Red Scanning Activity b.. CERT Advisory CA-2001-13 c.. CERT Advisory CA-2001-19 d.. CERT Advisory CA-2001-23 d.. "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled Along with the large number of "Code Red" and "Code Red II" reports indicating that systems are compromised, the CERT/CC has received a smaller yet still significant number of reports where Windows NT 4.0 IIS 4.0 systems have been adversely affected by the high volume of "Code Red" scanning activity. A recently discovered vulnerability can cause an IIS 4.0 server (patched against "Code Red" according to Microsoft Security Bulletin MS01-033) with URL redirection enabled to crash when scanned by the "Code Red" worms. Please see: a.. "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled The CERT/CC is interested in receiving reports of "Code Red" activity. If machines under your administrative control are compromised, please send mail to [log in to unmask] -------------------------------------------------------------------------- Exploitation of a buffer overflow in telnetd The CERT/CC has received reports of exploitation of the buffer overflow in the telnetd program discussed in CERT Advisory CA-2001-21. This vulnerability can crash the telnetd server, or be leveraged to gain root access to the host. Sites are encouraged to read the advisory and take appropriate steps to protect any machines running the telnetd service. The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to [log in to unmask] -------------------------------------------------------------------------- Scans and Probes We receive many daily reports of scanning and probing activity. The most frequent reports tend to involve services that have well-known vulnerabilities. Internet hosts continue to be affected by exploitation of well-known vulnerabilities in many of these services. Service Name Port/Protocol Related Information ftp 21/tcp IN-2001-01, Widespread Compromises via "ramen" Toolkit IN-2000-10, Widespread Exploitation of rcp.statd and wu-ftpd Vulnerabilities CA-2000-13, Two Input Validation Problems In FTPD AA-2000.02, wu-ftpd "site exec" Vulnerability CA-1999-13, Multiple Vulnerabilities in WU-FTPD CA-1997-27, FTP Bounce ssh 22/tcp CA-1999-15, Buffer Overflows in SSH Daemon and RSAREF2 Library telnet 23/tcp IN-2000-09, Systems Compromised Through a Vulnerability in the IRIX telnet daemon CA-2001-21, Buffer Overflow in telnetd domain 53/tcp 53/udp CA-2001-02, Multiple Vulnerabilities in BIND CA-2000-20, Multiple Denial-of-Service Problems in ISC BIND IN-2000-04, Denial of Service Attacks using Nameservers CA-2000-03, Continuing Compromises of Nameservers CA-1999-14, Multiple Vulnerabilities in BIND CA-1998-05, Multiple Vulnerabilities in BIND http 80/tcp CA-2001-11, sadmind/IIS Worm CA-2001-23, Continued Threat of the "Code Red" Worm "linuxconf" on some Linux distributions 98/tcp Some Linux distributions ship with linuxconf, a program which listens on TCP port 98. While we do not have any reports of intruders actively exploiting vulnerabilites in linuxconf, these probes may be used to identify linux machines that have other vulnerabilities. pop2 109/tcp ipop2d buffer overflow pop3 110/tcp Qpopper buffer overflow CA-1997-09, Vulnerability in IMAP and POP sunrpc 111/tcp 111/udp CA-2001-05, Exploitation of snmpXdmid IN-2001-01, Widespread Compromises via "ramen" Toolkit IN-2000-10, Widespread Exploitation of rcp.statd and wu-ftpd Vulnerabilities CA-2000-17, Input Validation Problem in rpc.statd CA-1999-16, Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind CA-1999-12, Buffer overflow in amd CA-1999-08, Buffer overflow in rpc.cmsd CA-1999-05, Vulnerability in statd exposes vulnerability in automountd CA-1998-12, Remotely Exploitable Buffer Overflow Vulnerability in mountd CA-1998-11, Vulnerability in ToolTalk RPC service CA-2001-11, sadmind/IIS Worm netbios-ns netbios-dgm netbios-ssn 137/udp 138/udp 139/tcp IN-2000-03, 911 Worm IN-2000-02, Exploitation of Unprotected Windows Networking Shares CA-2001-23, Continued Threat of the "Code Red" Worm imap 143/tcp CA-1998-09, Buffer Overflow in Some Implementations of IMAP Servers CA-1997-09, Vulnerability in IMAP and POP printer 515/tcp IN-2001-01, Widespread Compromises via "ramen" Toolkit Vulnerability Note VU#382365, LPRng can pass user-supplied input as a format string parameter to syslog() calls klogind 543/tcp CA-2000-06, Multiple Buffer Overflows in Kerberos Authenticated Services socks 1080/tcp VN-1998-03, WinGate IP Laundering SGI objectserver 5135/tcp 20000303-01-PX, Vulnerability in IRIX 5.3 and 6.2 objectserver SubSeven 27374/tcp IN-2001-07, W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses ICMP echo ICMP echo reply ICMP type 8 ICMP type 0 CA-1998-01, "smurf" IP Denial-of-Service Attacks -------------------------------------------------------------------------- For an overview of incident and vulnerability activity during the last quarter, see the most recent CERT Summary. -------------------------------------------------------------------------- Copyright 1999, 2000, 2001 Carnegie Mellon University. See the conditions for use, disclaimers, and copyright information. CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office.