CERT/CC Current Activity Tue Jul 5 09:42:34 GMT-0400 2000 The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. Compromises via WU-FTP "site exec" Vulnerability [ Added: 5 Jul 2000 ] Compromises via BIND Vulnerability [ Reviewed: 5 Jul 2000 ] Scans and Probes [ Updated: 5 Jul 2000 ] Compromises via WU-FTP "site exec" vulnerability The CERT/CC has been receiving a slow but steadily-increasing number of reports from sites being compromised as a result of exploiting the "site exec" wu-ftpd vulnerability first alerted to by AUSCERT in AA-2000.02: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02 Sites are strongly encouraged to follow the advice contained in the advisory and apply vendor-supplied patches to systems running vulnerable versions of the wu-ftpd. If you believe your host has been compromised, please follow the steps outlined in Steps for Recovering From a Root Compromise Compromises via BIND Vulnerability We continue to receive daily reports of systems being root compromised via one of the most recent vulnerabilities in BIND. The "NXT bug" described in CA-99-14, Multiple Vulnerabilities in BIND is being exploited to gain root access to systems running vulnerable versions of BIND. For more information, see CA-2000-03, Continuing Compromises of Nameservers Sites are strongly encouraged to follow the advice contained in CA-99-14 and CA-2000-03 to protect systems running BIND nameservers. If you believe your host has been compromised, please follow the steps outlined in Steps for Recovering From a Root Compromise Scans and Probes We receive many daily reports of scanning and probing activity. The most frequent reports tend to involve services that have well-known vulnerabilities. Hosts continue to be affected by exploitation of well-known vulnerabilities in many of these services. Service Name Port/Protocol Related Information ftp 21/tcp CA-99-13, Multiple Vulnerabilities in WU-FTPD CA-97.27, FTP Bounce AA-2000.02, wu-ftpd "site exec" Vulnerability ssh 22/tcp CA-99-15, Buffer Overflows in SSH Daemon and RSAREF2 Library domain 53/tcp 53/udp IN-2000-04, Denial of Service Attacks using Nameservers CA-2000-03, Continuing Compromises of Nameservers CA-99-14, Multiple Vulnerabilities in BIND CA-98.05, Multiple Vulnerabilities in BIND "linuxconf" on some Linux distributions 98/tcp Some Linux distributions ship with linuxconf, a program which listens on TCP port 98. While we do not have any reports of intruders actively exploiting vulnerabilites in linuxconf, these probes may be used to identify linux machines that have other vulnerabilities. pop2 109/tcp ipop2d buffer overflow pop3 110/tcp Qpopper buffer overflow CA-97.09.imap_pop, Vulnerability in IMAP and POP sunrpc 111/tcp CA-99-16, Buffer Overflow in Sun 111/udp Solstice AdminSuite Daemon sadmind CA-99-12, Buffer overflow in amd CA-99-08, Buffer overflow in rpc.cmsd CA-99-05, Vulnerability in statd exposes vulnerability in automountd CA-98.12, Remotely Exploitable Buffer Overflow Vulnerability in mountd CA-98.11, Vulnerability in ToolTalk RPC service netbios-ns 137/udp IN-2000-03, 911 Worm netbios-dgm 138/udp IN-2000-02, Exploitation of netbios-ssn 139/udp Unprotected Windows Networking Shares imap 143/tcp CA-98.09, Buffer Overflow in Some Implementations of IMAP Servers CA-97.09.imap_pop, Vulnerability in IMAP and POP klogind 543/tcp CA-2000-06, Multiple Buffer Overflows in Kerberos Authenticated Services socks 1080/tcp CA-98.03, WinGate IP Laundering SGI objectserver 5135/tcp 20000303-01-PX, Vulnerability in IRIX 5.3 and 6.2 objectserver ICMP echo ICMP type 8 CA-98.01, "smurf" IP ICMP echo reply ICMP type 0 Denial-of-Service Attacks For an overview of incident and vulnerability activity during the last quarter, see the most recent CERT Summary. Copyright 1999, 2000 Carnegie Mellon University. See the conditions for use, disclaimers, and copyright information. CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office.