AUSCERT External Security Bulletin Redistribution

                     ESB-97.035 -- CERT Summary CS-97.02
                              19 March 1997


CERT/CC have released the following CERT Summary which describes widespread,
large-scale attacks against news servers.  AUSCERT has received numerous
reports from Australian sites indicating these attacks are also widespread
throughout Australia.

AUSCERT encourages all sites running news servers to take the steps
outlined in this CERT Summary.

The AUSCERT advisory relating to this vulnerability is AA-96.19.  It
can be retrieved from:


AA-96.19 has been updated since its initial release and it's suggested
that sites fetch the current copy.

Sites that have upgraded to INN 1.5.1 in response to this vulnerability
should ensure that the installation notes and README have been carefully
followed.  In some cases, unless the instructions have been followed a site
may still remain vulnerable.  More information on this can be found in
either CERT Advisory CA-97.08 or AUSCERT Advisory AA-96.19.

AUSCERT maintains a local mirror of cert.org, available from:


This following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
        AUSCERT personnel answer during Queensland business hours
        which are GMT+10:00 (AEST).
        On call after hours for emergencies.

- --------------------------BEGIN INCLUDED TEXT--------------------


- - ---------------------------------------------------------------------------
CERT(sm) Summary CS-97.02 - SPECIAL EDITION
March 18, 1997

This special edition of the CERT Summary highlights widespread, large-scale
attacks that are occurring against news servers.

Past CERT Summaries are available from
- - ---------------------------------------------------------------------------

Current activity - attacks on news servers
- - ------------------------------------------

The CERT Coordination Center and incident response teams around the world have
received numerous reports concerning widespread, large-scale attacks on NNTP
(Network News Transport Protocol) servers throughout the world. NNTP servers
are commonly referred to as USENET news servers.

The activity involves an attempt to exploit a vulnerability in versions of
INN (InterNetNews) prior to 1.5.1. We have received reports that version 1.5.1
was thought to be vulnerable; however, as far as we are able to determine, it
is not.

INN is a commonly used software program for serving and managing news
according to the NNTP protocol. This vulnerability allows remote users to
execute arbitrary commands on the news server with the same privileges as 
the user-id that manages the news server. As of 8:00 am EST (GMT -5),
March 18, 1997, it appears that the most common activity is to attempt to mail
the password file and configuration files to a remote site.

Because of the nature of USENET news, messages are passed automatically from
one site to another. The exploitation involves a particular kind of message,
known as a control message. Intruders can construct and post control messages
in such a way as to exploit the vulnerability. Because of this, your site may
have been compromised even if it was not specifically selected by an intruder.

Information about the vulnerability, along with information about patches and
workarounds, is available from


If we receive further information, we will update this advisory.

We encourage sites that are running INN 1.5 or earlier to upgrade to
INN 1.5.1 as soon as possible.

James Brister, the current maintainer of INN, has provided additional
information regarding the update to INN 1.5.1; this information has been added
to the advisory. James has provided the following patches for INN version 1.5,
1.4sec, 1.4unoff3, and 1.4unoff4:

  ftp://ftp.isc.org/isc/inn/patches/security-patch.01    1.5
  ftp://ftp.isc.org/isc/inn/patches/security-patch.02    1.4sec
  ftp://ftp.isc.org/isc/inn/patches/security-patch.03    1.4unoff3, 1.4unoff4

The directory includes MD5 checksums for each patch.

Information regarding INN patches may be found at


System administrators who did not update to INN 1.5.1 before Friday,
March 14, 1997, should take the following steps:

      * Examine your news logs for signs of exploitation. So far, we
        have reports of at least six distinct message IDs being used:


        Although these messages appear to come from UUNET, the messages
        were forged.

        If these message IDs appear in your logs, it is highly likely that
        these control messages reached your news server. Moreover, it is
        almost certain that additional messages will be (or already have been)
        crafted by intruders, so checking for those message IDs is not enough.

      * If you discover that your password file has been mailed to an intruder
        and you are not using a shadow password mechanism (or another password
        mechanism such as Kerberos), you should consider changing all the
        passwords on your systems.

        We encourage you to examine the following documents for further
        security information:


            This document will help you methodically check your systems
            for signs of compromise, and offers pointers to other resources
            and suggestions on how to proceed in the event of a compromise.


            This document outlines steps you can take to help recover from
            a root compromise and to secure your systems from further


            This document will help you avoid common problems that can lead
            to compromises on UNIX systems, and provides a general framework
            for configuring UNIX systems.


            This document provides a list of tools that can help you
            to monitor your systems for signs of compromise and to
            monitor activity on your systems and networks.


            This document describes ways in which you can protect your
            password file from unauthorized access.

      * Examine your news server for unauthorized processes running as the
        news user. Several of the malicious NNTP control messages include a
        script that attempts to establish an outgoing telnet session to another
        location. Typically, sites with firewalls permit outbound telnet

      * We have several reports of sites that have attempted to check their
        own exposure to this vulnerability and have inadvertently released
        control messages to the Internet that exploit this vulnerability. We
        strongly discourage sites from using control messages as a way to
        measure exposure to this vulnerability. To determine if your NNTP
        server is vulnerable, we recommend that you follow the steps outlined
        in Section I of advisory CA-97.08. If you have accidentally released
        such a message, we encourage you to notify any vulnerable sites that
        you discover through feedback from your test message. Please include
        cert@cert.org in the CC line of the messages you exchange.

      * If you discover that you have been compromised as a result of this
        vulnerability and you have a representative in FIRST, we encourage you
        to contact them directly. To locate your representative in the FIRST
        community, please see


      * If you do not have a representative in FIRST, we encourage you to
        report to the CERT Coordination  Center. In order to help us assess
        the 'big picture,' please include the following information:

                - Your name and contact information
                - The domain name of your news server
                - The NNTP server software you run, including version number
                - A copy of the control message(s) if you have it
                - Any additional pertinent information

        In accordance with our policies, we will not release information about
        your site without your explicit permission.

        Due to the large volume of mail we are receiving regarding this
        activity, we may not be able to follow up all reports
        individually. Nonetheless, your report will help us to understand the
        activity better and to provide more accurate information to the
        Internet community at large.

We would like to express our thanks to James Brister for his assistance in
preparing this summary.

- - ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- - ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

Version: 2.6.2


- --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key