************************************************************************** Security Bulletin 9554 DISA Defense Communications System December 18, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9944.txt). These are also available on our WWW site at http://nic.ddn.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= ============================================================================= CA-95:18 CERT Advisory December 18, 1995 Widespread Attacks on Internet Sites ----------------------------------------------------------------------------- Over the last several weeks, the CERT Coordination Center has been working on a set of incidents in which the intruders have launched widespread attacks against Internet sites. Hundreds of sites have been attacked, and many of the attacks have been successful, resulting in root compromises at the targeted sites. We continue to receive reports, and we believe that more attacks are going undetected. ********************************************************************** All the vulnerabilities exploited in these attacks are known, and are addressed by CERT advisories (see Section III). ********************************************************************** We urge everyone to obtain these advisories and take action to ensure that systems are protected against these attacks. Also, please feel free to redistribute this message. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-95:18.README We encourage you to check our README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description Intruders are doing the following: - using automated tools to scan sites for NFS and NIS vulnerabilities - exploiting the rpc.ypupdated vulnerability to gain root access - exploiting the loadmodule vulnerability to gain root access - installing Trojan horse programs and packet sniffers - launching IP spoofing attacks II. Impact Successful exploitation of the vulnerabilities can result in unauthorized root access. III. Solution The CERT staff urges you to immediately take the steps described in the advisories and README files listed below. Note that it is important to check README files as they contain updated information we received after the advisory was published. a. Using automated tools to scan sites for NFS and NIS vulnerabilities * CA-94:15.NFS.Vulnerabilities * CA-94:15.README * CA-92:13.SunOS.NIS.vulnerability b. Exploiting the rpc.ypupdated vulnerability to gain root access * CA-95:17.rpc.ypupdated.vul * CA-95:17.README c. Exploiting the loadmodule vulnerability to gain root access * CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability * CA-95:12.sun.loadmodule.vul * CA-95:12.README d. Installing Trojan horse programs and packet sniffers * CA-94:01.ongoing.network.monitoring.attacks * CA-94:01.README e. Launching IP spoofing attacks * CA-95:01.IP.spoofing * CA-95:01.README The CERT advisories and README files are available from ftp://info.cert.org/pub/cert_advisories If you find a compromise, please complete the Incident Reporting Form that we have provided in the appendix of this advisory, and return the form to cert@cert.org. This completed form will help us better assist you. Note: Because of our workload, we must ask you not to send log files of activity, but we would be happy to work with you as needed on how to interpret data that you may collect. Also, the CERT staff can provide guidance and advice, if needed, on how to handle incidents and work with law enforcement. If you see activity that indicates an attack is in progress, we encourage you to contact other sites involved and the service providers, as well as the CERT Coordination Center. --------------------------------------------------------------------------- Contacting the CERT Coordination Center For sensitive information, please use encrypted email. The CERT public PGP key is available from ftp://info.cert.org/pub/CERT_PGP.key If you prefer to use DES, please call the CERT hotline +1 412 268 7090 to exchange a DES key over the phone. Other CERT contact information: Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT advisories and bulletins are posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past CERT publications, information about FIRST representatives, and other information related to computer security are available from ftp://info.cert.org/pub/ Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. .............................................................................. Appendix: Incident Reporting Form (also available from ftp://info.cert.org/pub/incident.reporting.form) CERT(sm) Coordination Center Incident Reporting Form CERT has developed the following form in an effort to facilitate our interaction with members of the Internet community. We would appreciate your completing the form included below in as much detail as possible. The information is optional, but the more information you can provide, the better we will be able to assist you. Note that our policy is to keep confidential any information you provide unless we receive your permission to release that information. (See questions 8 and 11 below.) Please feel free to duplicate any section as required. Please return this form to cert@cert.org. If you are unable to e-mail this form, please send it via FAX. Our FAX telephone number is +1 412-268-6989. Thank you for your cooperation and help. 1) Incident number (assigned by CERT): CERT# 2) Reporting site information Organizational Name (e.g. CERT Coordination Center): Domain Name (e.g. cert.org): 3) Your contact information Name: E-mail address: Telephone number: FAX number (optional): Pager number (optional): Home telephone number (for CERT internal use only): 4) Additional contact information (if available) Name: E-mail address: Telephone number: FAX number (optional): Pager number (optional): Home telephone number (for CERT internal use only): 5) Compromised host(s) at your site (one entry per host please) Hostname: IP address: Vendor: Hardware: OS: Version: Security patches applied: 6) Please list the other sites compromised that you have notified, and the contact information for each site (one entry per site please) Hostname: IP address: Contact information: Name: E-mail address: Telephone number: FAX number (optional): Pager number (optional): Home telephone number (optional, for CERT internal use only): 7) Please list the other sites compromised that you have not yet notified (one entry per site please) Hostname: IP address: Contact information (if available): Name: E-mail address: Telephone number: FAX number (optional): Pager number (optional): Home telephone number (optional, CERT internal use only): 8) Would you be willing to contact these sites if CERT provided you the relevant contact information (Yes/No): Or, can CERT give your contact information to these sites when we contact them (Yes/No): 9) Incident category (Yes/No) Probe: Prank: Mail Spoofing: Break-in: Installed Trojan Horse: Intruder gained root access: NIS (yellow pages) attack: NFS attack: TFTP attack: FTP attack: Telnet attack: Rlogin or rsh attack: Product vulnerability: Worm: Virus: Other (please specify): 10) Are you currently using (Yes/No/Periodically) COPS (The Computer Oracle and Password System): TCP access control using packet filtering: Host access control via modified daemons or wrappers: Crack: Tripwire: Proactive password checkers (e.g. npasswd, passwd+): Shadow passwords: Other (please specify): 11) Miscellaneous Please specify any other incident response team(s) you have contacted Team: Contact information Name: E-mail address: Telephone number: FAX number (optional): Pager number (optional): Home telephone number (optional, CERT internal use only): If you have not contacted another incident response team, could we give them your contact information (Yes/No): Please specify any law enforcement agency(ies) you have contacted Agency: Contact information Name: E-mail address: Telephone number: FAX number (optional): Pager number (optional): Home telephone number (optional, CERT internal use only): If you have not contacted any law enforcement agency, could we give them your contact information, if necessary (Yes/No): 12) Detailed description of incident (e.g. method of intrusion, etc) 13) What assistance would you like from CERT? Copyright 1995 Carnegie Mellon University This form may be reproduced and distributed without permission provided it is used for noncommercial purposes and the CERT Coordination Center is acknowledged. CERT is a service mark of Carnegie Mellon University. **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.