Archive of CERT general posting, CERT Summary CS-99.04

24/11/99, CERT Summary CS-99.04
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Summary CS-99.04
From: CERT Advisory <>
Date: Tue, 23 Nov 1999 16:45:07 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090

Hash: SHA1

CERT Summary CS-99-04

   November 23, 1999
   Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.
   Past CERT summaries are available from
Reminder: New CERT/CC PGP Key

   On October 4, 1999, the PGP key for the CERT/CC was replaced with a
   new PGP key. For more information, see
"CERT/CC Current Activity" Web Page

   The CERT/CC Current Activity web page is a regularly updated summary
   of the most frequent, high-impact types of security incidents and
   vulnerabilities currently being reported to the CERT/CC. It is
   available from
   The information on the Current Activity page will be reviewed and
   updated as reporting trends change.
Year 2000 (Y2K) Information

   The CERT/CC has published information regarding the Y2K problem:
   Y2K Information
Recent Activity

   Since the last CERT summary, issued in August 1999 (CS-99-03), we have
   published advisories on WU-FTPD, BIND, CDE, and AMD. We have also
   analyzed and published information regarding distributed intruder
   tools. Among other activity, we continue to see widespread scans for
   known vulnerabilities.
    1. Distributed Intruder Tools
       Denial of Service
       We have received reports of intruders compromising machines in
       order to install distributed systems used for launching packet
       flooding denial-of-service attacks. The systems typically contain
       a small number of servers and a large number of clients. These
       reports indicate that machines participating in such distributed
       systems are likely to have been root compromised. You can find
       more information in
        CERT Incident Note 99-07
       We have received reports of intruders using distributed network
       sniffers to capture usernames and passwords. The distributed
       sniffer consists of a client and a server portion. As of this
       summary, the sniffer clients have been found exclusively on
       compromised Linux hosts. For more information please see
        CERT Incident Note 99-06
    2. CDE Vulnerabilities
       Multiple vulnerabilities have been identified in some
       distributions of the Common Desktop Environment (CDE). These
       vulnerabilities are different from those discussed in CA-98.02 and
       can lead to intruders gaining root access on vulnerable systems.
       For more information please see
        CERT Advisory CA-99-11
    3. BIND Vulnerabilities
       Several vulnerabilities have been found in BIND, the popular
       domain name server from the Internet Software Consortium (ISC).
       One of these vulnerabilities may allow remote intruders to gain
       privileged access to name servers. The others can severely disrupt
       the operation of the name server. For more information, please see
        CERT Advisory CA-99-14
    4. WU-FTPD Vulnerabilities
       Three vulnerabilities have been identified in WU-FTPD and other
       ftp daemons based on the WU-FTPD source code. WU-FTPD is a common
       package used to provide File Transfer Protocol (FTP) services.
       Remote and local intruders may be able to exploit these
       vulnerabilities to execute arbitrary code as the user running the
       ftp daemon (usually root). Incidents involving the first of these
       three vulnerabilities have been reported to the CERT Coordination
       Center. For more information please see
        CERT Advisory CA-99-13
    5. AMD Vulnerabilities
       There is a buffer overflow vulnerability in the logging facility
       of the amd daemon. This daemon automatically mounts file systems
       in response to attempts to access files that reside on those file
       systems. Remote intruders can exploit this vulnerability to
       execute arbitrary code as the user running the amd daemon (usually
       root). For more information see
        CERT Advisory CA-99-12
                We have received reports regarding exploits of this
                vulnerability. For more information please see
                CERT Incident Note 99-05
    6. RPC Vulnerabilities
       We continue to receive reports of exploitations involving three
       RPC vulnerabilities: rpc.cmsd, ttdbserverd, and statd/automountd.
       These exploitations can lead to root compromise on systems that
       implement vulnerable RPC services. Analysis has shown that similar
       artifacts have been found on compromised systems. For more
       information on the vulnerabilities please see
        CERT Incident Note 99-04
            CERT Advisory CA-99-08
            CERT Advisory CA-99-05
            CERT Advisory CA-98-11
    7. Virus and Trojan Horse Activity
       We continue to see reports of virus activity. Current versions of
       anti-virus software can help to protect your systems from these
       It is important to take great caution with any email or Usenet
       attachments that contain executable content. If you receive a
       message containing attachments, scan the message file with
       anti-virus software before you open or run the file. Doing this
       does not guarantee that the contents of the file are safe, but it
       lowers your risk of virus infection by checking for viruses and
       Trojan horses that your scanning software can detect.
       CERT/CC has published a Virus Resources page that includes
       information on
          Frequently Asked Questions (FAQs) about Computer Viruses
          Hoax and Chain Letter Databases
          Virus Databases
          Virus Organizations and Publications
          Anti-Virus Vendors
          Virus Related Papers
       Please see
        Virus Resources
    8. Continued Widespread Scans
       We continue to receive reports of scanning and probing activity.
       The most frequent reports tend to involve services that have
       well-known vulnerabilities. Hosts continue to be affected by
       exploitation of well-known vulnerabilities in these services.
        sunrpc (TCP port 111) and mountd (635)
            IMAP (TCP port 143)
            POP3 (TCP port 110)
            DNS (TCP port 53 [domain])
What's New and Updated

   Since the last CERT summary, we have developed new and updated
     * Advisories
     * CERT statistics
     * Incident notes
     * Tech tips/FAQs
     * Y2K information
   There are descriptions of these documents and links to them on our
   "What's New" web page at
   This document is available from:
CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   If you prefer to use DES, please call the CERT hotline for more
Getting security information

   CERT publications and other security information are available from
   our web site
   To be added to our mailing list for advisories and bulletins, send
   email to and include SUBSCRIBE
   your-email-address in the subject of your message.
   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

Version: PGP for Personal Privacy 5.0
Charset: noconv


Previous message sorted by date: CERT Summary CS-99.03
Next message sorted by date: CERT Summary CS-99-05
Previous message sorted by thread: CERT Summary CS-99.03
Next message by thread: CERT Summary CS-99-05
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000