CERT Incident Note IN-98.02: New Tools Used for Widespread Scans

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

New Tools Used For Widespread Scans

Thursday, July 2, 1998

Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.

The tool uses both DNS zone transfers and/or brute force scanning of IP addresses to locate machines. Once machines are located, they are tested for a number of vulnerabilities.

The tool has the capability to test for the following vulnerabilities:

• statd vulnerability - see http://www.cert.org/advisories/CA-97.26.statd.html
• imap/pop3 vulnerabilities - see http://www.cert.org/advisories/CA-97.09.imap_pop.html
• IRIX machines that have accounts with no passwords - see http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html
• bind vulnerability - see http://www.cert.org/advisories/CA-98.05.bind_problems.html
• cgi-bin vulnerabilities - see http://www.cert.org/tech_tips/cgi_metacharacters.html
• phf - see http://www.cert.org/advisories/CA-96.06.cgi_example_code.html
• handler - see ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi
• test-cgi
• NFS filesystems exported to everyone
• X11 (open X servers)

We encourage you to ensure that all machines in your network utilizing any of the above services are up to date with patches and properly secured.

The footprints of this attack are sequential connections to multiple hosts on one or more of the following TCP ports.

Port   Service
--------------
(23)   telnet
(53)   dns
(79)   finger
(80)   web
(110)  pop
(111)  SunRPC & NFS (UDP and TCP)
(143)  imap
(1080) socks
(2049) nfs (UDP)
(6000) X

Also, requests for the phf, handler, and test-cgi CGI scripts may show up in web access logs.

We encourage sites to disable or add access control to DNS zone transfers. One way to do this is to filter port 53 (TCP) to prevent domain name service zone transfers and permit access to socket 53 (TCP) only from known secondary domain name servers.

We also urge you to filter/firewall all traffic except that which you explicitly decide to allow. Please look at our packet filtering tech tip for more information.

http://www.cert.org/tech_tips/packet_filtering.html

Copyright 1998 Carnegie Mellon University.