View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.<p>
<h2>New Tools Used For Widespread Scans</h2>

Thursday, July 2, 1998<p>

Intruders launching widespread scans in order to locate vulnerable
machines is nothing new; however, a new intruder tool was publicly
released last week which scans networks for many different
vulnerabilities. The CERT Coordination Center has received numerous
reports indicating that this tool is in widespread use within the
intruder community.<p>

The tool uses both DNS zone transfers and/or brute force scanning of
IP addresses to locate machines. Once machines are located, they are
tested for a number of vulnerabilities.<p>

The tool has the capability to test for the following
vulnerabilities:<p>
<ul>
<li>statd vulnerability - see <a href="http://www.cert.org/advisories/CA-97.26.statd.html">http://www.cert.org/advisories/CA-97.26.statd.html</a></li>
<li>imap/pop3 vulnerabilities - see <a href="http://www.cert.org/advisories/CA-97.09.imap_pop.html">http://www.cert.org/advisories/CA-97.09.imap_pop.html</a></li>
<li>IRIX machines that have accounts with no passwords - see 
<a href="http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html">http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html</a>
<li>bind vulnerability - see <a href="http://www.cert.org/advisories/CA-98.05.bind_problems.html">http://www.cert.org/advisories/CA-98.05.bind_problems.html</a></li>
<li>cgi-bin vulnerabilities - see <a href="http://www.cert.org/tech_tips/cgi_metacharacters.html">
http://www.cert.org/tech_tips/cgi_metacharacters.html</a>
</li>
<ul>
<li>phf - see <a href="http://www.cert.org/advisories/CA-96.06.cgi_example_code.html">http://www.cert.org/advisories/CA-96.06.cgi_example_code.html</a></li>
<li>handler - see <a href="ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi">ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi</a></li>
<li>test-cgi</li>
</ul>
<li>NFS filesystems exported to everyone</li>
<li>X11 (open X servers)</li>
</li></ul>

We encourage you to ensure that all machines in your network utilizing
any of the above services are up to date with patches and properly
secured.<p>

The footprints of this attack are sequential connections to multiple
hosts on one or more of the following TCP ports.<p>
<pre>
Port   Service
--------------
(23)   telnet
(53)   dns
(79)   finger
(80)   web
(110)  pop
(111)  SunRPC &amp; NFS (UDP and TCP)
(143)  imap
(1080) socks
(2049) nfs (UDP)
(6000) X
</pre>

Also, requests for the phf, handler, and test-cgi CGI scripts may show
up in web access logs.<p>

We encourage sites to disable or add access control to DNS zone
transfers. One way to do this is to filter port 53 (TCP) to prevent
domain name service zone transfers and permit access to socket 53
(TCP) only from known secondary domain name servers.<p>

We also urge you to filter/firewall all traffic except that which you
explicitly decide to allow. Please look at our packet filtering tech
tip for more information.<p>
<dl><dd><a href="http://www.cert.org/tech_tips/packet_filtering.html">
http://www.cert.org/tech_tips/packet_filtering.html</a></dd></dl>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1998 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p>