-----BEGIN PGP SIGNED MESSAGE-----

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    
          Automated Systems Security Incident Support Team
                                                _____
             ___   ___  _____   ___  _____     |     /
      /\    /   \ /   \   |    /   \   |       |    / Integritas
     /  \   \___  \___    |    \___    |       |   <      et
    /____\      \     \   |        \   |       |    \ Celeritas
   /      \ \___/ \___/ __|__  \___/   |       |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
                       Bulletin  95-51
 
       Release date: 18 December, 1995, 3:10 PM EST (GMT -5)

SUBJECT: Widespread Internet system attacks.

SUMMARY: ASSIST has received information from the CERT Coordination
Center about a large number of Internet attacks, including some
successful root level compromises, which have been noted during the
past several weeks.

BACKGROUND: Hundreds of attacks against Internet sites have been
detected, and it is presumed many more attacks are going
un-detected.  All vulnerabilitites exploited in this group of
attacks have been documented and have specific countermeasures
(see RECOMMENDED SOLUTIONS for references to appropriate ASSIST
bulletins).  Intruders are using one or more of the following 
vulnerabilities and/or procedures in their attacks:
   * automated tools scan sites for NFS and NIS
     vulnerabilities 

   * exploiting the rpc.ypupdated vulnerability to gain root
     access

   * exploiting the loadmodule vulnerability to gain root
     access

   * installing Trojan horse programs and packet sniffers

   * launching IP spoofing attacks

IMPACT: Successful exploitation of the vulnerabilities can result 
in unauthorized root access.

RECOMMENDED SOLUTIONS: Check systems to ensure that all the
vulnerabilities and security issues addressed in the ASSIST 
bulletins cited below have been corrected.  Back issues of all
ASSIST bulletins can be downloaded from the ASSIST BBS and FTP
systems (see ASSIST Information Resources paragraph in the 
trailer of this message).

A. Automated tools scan sites for NFS and NIS vulnerabilities.

   * ASSIST 94-41, NFS Vulnerabilities.  NOTE: The following is 
   an addendum to 94-41.  Some sites may run NFS on a port other 
   than 2049.  To determine which port is running NFS, enter the 
   following command on the machine in question:
      rpcinfo -p 
   If NFS is on a different port, then that is the port number 
   to block at the firewall.
   * ASSIST 92-39, SunOS NIS Vulnerability.

B. Exploiting the rpc.ypupdated vulnerability to gain root access.
   * ASSIST 95-49, rpc.ypupdated Vulnerability.
   * ASSIST 95-50, SGI rpc.ypupdated Vulnerability. 

C. Exploiting the loadmodule vulnerability to gain root access.
   * ASSIST 93-33, SunOS/Solbourne loadmodule and modload
   Vulnerability.
   * ASSIST 95-40, Sun 4.1.X Loadmodule Vulnerability.

D. Installing Trojan horse programs and packet sniffers.
   * ASSIST 94-02, Ongoing network monitoring attacks, also
   see follow up bulletins 94-02A/B/C.  NOTE: The following is an
   addendum to the 94-02 series.  
      Check for modifications to /etc/rc* files and /etc/shutdown.
      Some intruders have modified /etc/rc files to ensure that
      the sniffer restarts after a shutdown or reboot. Others
      have modified the shutdown sequence to remove all traces of
      compromise.
    
      Look for additional Trojan binaries, in particular:
      netstat, ifconfig, su, ls, find, du, df, libc, sync, and 
      any binaries referred in /etc/inetd.conf.

      Look for unexpected ASCII files in the /dev directory.
      Some of the Trojan binaries rely on configuration files,
      which are often found in /dev. 

      Some sites have reported intruders gaining root access then
      reinstalling a kernel with /dev/nit functionality.  

      Sniffers for other platforms, i.e., Solaris.

      Sites have reported intruders using sniffers to capture
      authentication to routers.  Using that data, they compromise
      the routers and modify the configuration file.

E. Launching IP spoofing attacks.
   * ASSIST 95-01, IP Spoofing Attacks and Hijacked Terminal
   Connections.
   * ASSIST 95-29, IP Spoofing Attacks.
   * ASSIST 95-29.readme. 

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ASSIST would like to thank the CERT Coordination Center for 
information contained in this bulletin.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ASSIST is an element of the Defense Information Systems Agency 
(DISA), and provides service to the entire DoD community. 
Constituents of the DoD with questions about ASSIST or computer 
security issues, can contact ASSIST using one of the methods listed 
below.  Non-DoD organizations/institutions, contact the Forum of 
Incident Response and Security Teams (FIRST) representative.  To 
obtain a list of FIRST member organizations and their constituencies 
send an email to docserver@first.org with an empty "subject" line 
and a message body containing the line "send first-contacts".

ASSIST Information Resources: To be included in the distribution
list for the ASSIST bulletins, send your Milnet (Internet) e-mail
address to assist-request@assist.mil.  Back issues of ASSIST 
bulletins, and other security related information, are available
from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous 
FTP from assist.mil (IP address 199.211.123.11).  Note: assist.mil 
will only accept anonymous FTP connections from Milnet addresses 
that are registered with the NIC or DNS.  If your system is not 
registered, you must provide your MILNET IP address to ASSIST before 
access can be provided.
 
ASSIST Contact Information:
PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700.
ELECTRONIC MAIL: assist@assist.mil.
ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for
the "sysop".  
FAX: COMM 703-607-4735, DSN 607-4735

ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital 
signature mechanism for bulletins.   PGP 2.6.2 incorporates the 
RSAREF(tm) Cryptographic Toolkit under license from RSA Data 
Security, Inc.  A copy of that license is available via anonymous 
FTP from net-dist.mit.edu (IP 18.72.0.3) in the file 
/pub/PGP/rsalicen.txt, and through the world wide web from
http://net-dist.mit.edu/pgp.html.  In accordance with the terms 
of that license,  PGP 2.6.2 may be used for non-commercial 
purposes only.  Instructions for downloading the PGP 2.6.2 
software can also be obtained from net-dist.mit.edu in the 
pub/PGP/README file.  PGP 2.6.2 and RSAREF may be subject to the 
export control laws of the United States of America as 
implemented by the United States Department of State Office of 
Defense Trade Controls.  The PGP signature information will be 
attached to the end of ASSIST bulletins.
  
Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST.  The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes. 

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6

mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM
W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw
FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR
tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQMJVF1JtBJ/Qs
yeedAQFnqgQAp1rw7ONT41Mr3gHGs2aVpEwgOH6SeJ9sHZxUp4dJu+ogRMFrqdC+
+NBfzitzj9m1udFVDHpwsGawbv6wg43DDAKaTgIETCHYXa/OM5/9FCS3xJwC99Gb
V1iOm8S/Q9FcJruKID9DG2WUJp2yPj+CjTuBQeLjGkqGjuSOR1TNXQiJAJUDBRAw
lUPuYKf6jFkmJQkBAWg5A/9ykgo2ULWUsSzZjRkO9yPZUPAlpfH7ReaHwkapK69F
fBzqwwQ8Gig1mL+qgmOHS8Zv+OAT491sWWsECN+dfpopFdsgS4Sec19ZjcMyhL1c
BVIS9Cmbjetb6Kvfc39AMr0MRCrUlOkUd4qScjHysHFYRAwCl3STRjprNnUPKQbn
f4kAlQMFEDB482bk8movIjSrbQEB/VgD/iap/CAb1jq8wMA3QleU8d6/QUqoPzgp
jRhP0wP7K2GLVUV0d5sP4EptmzejqViZvlzt6ufnI1bML0Yt2U5loAeblnh714RX
JcOmyAah6niiJSKuhCsYUzW6f3EBzXBn5tcu3GP35h+1VQunCQCMICCfnZ0r8Wcv
EdwE9LxPYdueiQCVAwUQMHOjMwJPhGsUbeKNAQGOagQAgT5p6CwrIPpi+12yJ170
ekc3MPp8z0aNbvdCQWXTK6qtq1LmS65VeH0RE5xRponsgbWp+5JBvD22v0eGuSg7
7bnHT1HPXazPERAp8sw1zTERs7drMQE+JhHYylh3orKzHNf5EjFx10vwEXdfvGSc
sP3Vpcx2xu0lUYHp5oHtPFiJAJUDBRAwar4DFKHh5Qavqe0BAeQqA/4xd0tdq9yF
eUYrd1+ZriayzfSjCcIUlCDH1i7vXw1kiHkg2YpOoZLD9k+zNkbOyBs/r570fGHu
A23SvUcUfaBUijT1jf9YGU5MQMdpx3p5qqI4kJ0GWUNySZNtaFy0qWNH8Z8NsNp3
FWllVeisye0qe96aoizW0dAyUymlM6YYn4kAlQMFEDBqqvga2zTcAviMgQEBN8wE
AIu7O/Of4c1OvMc5tti4+gcyCVw41+fLjxQFB5EtkoW8Js6XhCsv3GcmzgCZw3g8
Sux7wxGe+lspZNV9rvv+JkDBWkA9O5HyOdmdv5JZM1UH41NettZM9Yw7kUtO7lAT
aOb4ybHlqrBwJ8/+Lig7r7PwTL847JyGa3g229pGG/uEiQCVAwUQMGpTK+glSuMP
TJd1AQE8KQP8Cu+FYuagNoBRllMIQryT9+0ngLRxJJTcTgIbLX4OPwa27JuXCukG
kUIXRWFCqkRqkM/7ImZXeuUL4PmAX07f9ygGH7BUyqefhIWkxWFDaGHJVlg3l/pS
Wh7NnC+nU6DUJNSzfwYStCABNptOcMiYaT1fY0+DkWpIgJVRTptquOWJAJUCBRAw
aHX+IlGW2WZtAFEBATkXA/40QTxVP/x3aJDgC11cvFhwT7M+qJvhGSTRJOtrFz8i
soZzihMeaQ8zLiu73dDlFz2E4f0+ettxsDcgFJADNmZ5H7WkPlf9gBUBne4KP2Y6
yIjOCMwd6T7HGm/ErF88DIJ2wn8irhzVRnBBWhnmQfSzr5a7mkjlA6GzAlFucGp3
eokAlQMFEDBpzIC58yc3bMt0GQEBgd4EAI0mE/5wXSWuBNApkALLjPAchBdeC4Kl
YF4hQkfY/4YddeIasgTmINKOc5gJWgTHxPI2xKxjTAQhIZlOxuDyXWnBuK+x2hr4
iCh5unEIH+qaqdipGwWjFq0IZEmOOJaBRxlVt2hrmY6nRMpekitFLw8dhWHgI968
WVhJpWfBg+MhiQCVAwUQMGnMcmJl+kgHVnRVAQF+nQP/XK4xmIx1SmjoN9D+vNRY
PSiKz8KEzh1Y2/5QTYA7iES8QXC4i/8HOWK7lyoL6FmWGxKYpU8isQ+DJpk0A4N0
U04JexpyFa0EeM/wsfp0YvAWesSVhV5UkDQU6hSC0U8rS1j/qtnSLZ4wXpapPSBh
82daDlxAQCVMzDoQYQZkMi+JAJUDBRAwacftBCZ9eY4KSdEBAbKGA/0VHArALL6v
d0a0x7sn4o60Bk2fFzuaCBNTNzb11OOtuu47KMOZLwrl2jv+32ysIVEOXx+puhXP
nQAgRrH0LGKV5FOY3B98AHuV+woOmfVjM2T3xB4Bs52Dz+HIIIhaWzzy3955tlp/
6UyvZnD0QFLS/bre/Pog1Lgl0pxonmILhYkAlQIFEDBpJpXAx/wW8A8EIQEBPVoD
/jwgG+7ZrWrb8/dqe6IZhSk8rq0JIHhSA2Hz1T7PhRvyDiquBJ3ulTeaX3BvuWqF
bMuLJ4CTqXw9dexDehEnhGlxYycSXVzy8a34pLnmldii8oNvI1bLWMgd4HdM/PPZ
GOgHmSIGrXMChkbddt9AoszDI0Whlbe9+wn6AeZVrJVaiQCVAgUQMGkkL2yh0IcG
ee2RAQHrTgQAvBRce0S9yBvI/ufC/1jhE3LuUoA3YDdA8+UQ+UekaslZzOEgPs4K
Za/nM9Y2vaRYscyzyIg8FGTzCdJQ2be9HZjSkB2xQuakeq88tlV32/cLcQSC8Zrw
xsnPWujbIcWYg7B0hv8cCovef/w4kC9GyhjhIzPIsQ/Cr7/TYzheK12JAJUDBRAw
Z/38o2xF3nu86kkBARanA/0XO4HBo6pT2xNCdQ7AW9UrvmTCiYUb0XVY7qCnkaPp
Sn1KjsK2nGueDMGUBzvx9zWZ0xHAS+BSNkoM61gb9455KcbDwRqw6+47O/WuX1w9
fh7egjTY0kqN6YsP/vtirOuP+Krh19w/s6cDxbEBNbJIiZofRDFRRsZcZ8E2mLCP
UIkAlQMFEDBn/EY7f8e8znZrHwEBxQwD/jP+CiwO3Nk45M5Ei++TZzdp7ak82hum
XxVXplV2G4w8DN86pfl3IV/XvU67FQXg4NKJr+wm3JknDtlKZTE5g+aKkOYK6Fqt
w3FjTd6PTDz11YRruCsdvBeYwMcHPe5XzIhgkwkMXX2Mp99q9LGKfV3087do2LNr
V/2S/atn6IuqiQCVAwUQMGW6OliXq3zaXLJBAQFLwgP/bQ1C/Ph54RlRqw9rovJo
SXp5wvQAfVqqnkL5nIIIK2uGputcmhMP8RqYKuRv4xaezkCDTeIE/P0327Ajc4//
ca4SZCojxfqtrhw3EkfZtvFLJh1tsvAkqZkgHmjJxwA+lY78lQ1ncBZ99dePpuHu
MBQew3769SkEA8kk/s5XiYqJAJUDBRAvXHHu0fqxudbcij0BAQFjA/0W8glucqO0
wtSPyCF3qGimFLHxZmd9Cw6Zlf8Ftfy8rPVrkGQGfioA29b64oZ1SUTwsswSbU8P
n0KKFxvc6hYM5TzMg4gSu+vLh6pr4vMRdXyecF16z4BrUwIwZLP4rc5o/vyVDskI
ahj1NdNYh6V8B0FUEbhVBxJBGfy2NF0bZ7QoQVNTSVNUIFRlYW0gPGFzc2lzdEBh
c3Npc3QuaW1zLmRpc2EubWlsPokAlQIFEC45Ys3KbyuD/AwC1QEBKPED/2dwnN+/
OE2iHhvGwv3jZtsm6cH+GVkpNpc0w0vQOKvVwUnLwuETSv+eryz9Fl7nL0U2tv/5
V81dXqqc5C7EvOQW1Dt9RBSjEOundYrOzsfELIMrwh1iJXsIxG7g7iil0HeKzxsQ
E/nBFwJbgP6SQaYF4wy7TPuXw+IVVddp0p1riQCVAgUQLi5x6IdGPdIwvm+pAQFN
EwP+Ml0i+yurXH1ZvQApz+HKwqLrRTNsNdHu2CsQ/OdGo4Vq4eqyPTvrI1OVjm6o
jye7GR3RMPygEcz0oox/+YfB5cmGugpZLFsWLspswrFGGCXLXY3Bq7mpH14GENU5
JMlHzazeRvdDbkSv700Xu25JshjWIzfTY2nNUNfFlRefQoY=
=8gi/
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMNXKH9H6sbnW3Io9AQF1aAQAoKNKQa2wWFgwSWx0/WUm25lau4vBHpA4
qvGdVIwfmXHkS7eRbyKlqDPzDk7b2v8vIe4ZDOmV+Oj1mHlETU7KeNTT52f2RyND
0f/tuJZet0cdKRMrK41y9SsR3XsXG5HXDnYHVjeJmsPWlvCmWW/3SFz7lpJfloPl
GDtyTXCPcFQ=
=25Pj
-----END PGP SIGNATURE-----