New Tools Used For Widespread ScansThursday, July 2, 1998
Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.
The tool uses both DNS zone transfers and/or brute force scanning of IP addresses to locate machines. Once machines are located, they are tested for a number of vulnerabilities.
The tool has the capability to test for the following vulnerabilities:
- statd vulnerability - see http://www.cert.org/advisories/CA-97.26.statd.html
- imap/pop3 vulnerabilities - see http://www.cert.org/advisories/CA-97.09.imap_pop.html
- IRIX machines that have accounts with no passwords - see http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html
- bind vulnerability - see http://www.cert.org/advisories/CA-98.05.bind_problems.html
- cgi-bin vulnerabilities - see http://www.cert.org/tech_tips/cgi_metacharacters.html
- phf - see http://www.cert.org/advisories/CA-96.06.cgi_example_code.html
- handler - see ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi
- NFS filesystems exported to everyone
- X11 (open X servers)
The footprints of this attack are sequential connections to multiple hosts on one or more of the following TCP ports.
Port Service -------------- (23) telnet (53) dns (79) finger (80) web (110) pop (111) SunRPC & NFS (UDP and TCP) (143) imap (1080) socks (2049) nfs (UDP) (6000) XAlso, requests for the phf, handler, and test-cgi CGI scripts may show up in web access logs.
We encourage sites to disable or add access control to DNS zone transfers. One way to do this is to filter port 53 (TCP) to prevent domain name service zone transfers and permit access to socket 53 (TCP) only from known secondary domain name servers.
We also urge you to filter/firewall all traffic except that which you explicitly decide to allow. Please look at our packet filtering tech tip for more information.
Copyright 1998 Carnegie Mellon University.