Date: Thu, 28 Mar 2024 06:46:14 -0400 (EDT) Message-ID: <1192762804.463.1711622774337@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_462_471907190.1711622774335" ------=_Part_462_471907190.1711622774335 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Intruders launching widespread scans in order to locate vulnerable machi= nes is nothing new; however, a new intruder tool was publicly released last= week which scans networks for many different vulnerabilities. The CERT Coo= rdination Center has received numerous reports indicating that this tool is= in widespread use within the intruder community.
The tool uses both DNS zone transfers and/or brute force scanning of IP = addresses to locate machines. Once machines are located, they are tested fo= r a number of vulnerabilities.
The tool has the capability to test for the following vulnerabilities:= p>
The footprints of this attack are sequential connections to multiple hos= ts on one or more of the following TCP ports.
Port Service -------------- (23) telnet (53) dns (79) finger (80) web (110) pop (111) SunRPC & NFS (UDP and TCP) (143) imap (1080) socks (2049) nfs (UDP) (6000) XAlso, requests for the phf, handler, and test-cgi CGI scripts may sh= ow up in web access logs.=20
We encourage sites to disable or add access control to DNS zone transfer= s. One way to do this is to filter port 53 (TCP) to prevent domain name ser= vice zone transfers and permit access to socket 53 (TCP) only from known se= condary domain name servers.
We also urge you to filter/firewall all traffic except that which you ex= plicitly decide to allow. Please look at our packet filtering tech tip for = more information.
Copyright 1998 Carnegie Mellon University.