AUSCERT External Security Bulletin Redistribution

                  ESB-2001.219 -- CERT Summary CS-2001-02
                               CERT Summary
                                30 May 2001


        AusCERT Security Bulletin Summary

Product:                Summary
Vendor:                 CERT/CC

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Summary CS-2001-02

   May 29, 2001

   Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries

Recent Activity

   Since the last regularly scheduled CERT summary, issued in February
   2001 (CS-2001-01), we have seen a significant increase in
   reconnaissance activity, a number of self-propagating worms, and
   active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by

   For more current information on activity being reported to the
   CERT/CC, please visit the CERT/CC Current Activity page. The Current
   Activity page is a regularly updated summary of the most frequent,
   high-impact types of security incidents and vulnerabilities being
   reported to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity

    1. sadmind/IIS Worm

       The CERT/CC has received reports from more than 400 sites affected
       by a piece of self-propagating malicious code (referred to here as
       the sadmind/IIS worm). This worm uses two well-known
       vulnerabilities to compromise Solaris systems and deface web pages
       running on IIS servers. Reports indicate more than 500 Solaris
       machines have been compromised by the sadmind/IIS worm and more
       than 6000 IIS servers have been defaced. Sites running either
       Solaris or IIS are strongly encouraged to review CA-2001-11 and
       those running IIS should review the advisories listed below in the
       "Other Recent IIS Security Issues" section as well.

                CERT Advisory CA-2001-11: sadmind/IIS Worm

    2. Other Recent IIS Security Issues

       The CERT/CC has recently published information on two new
       vulnerabilities in IIS. Given the current level of exploitation of
       IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly
       encourages sites to review the following advisories and take
       appropriate steps to protect IIS servers.

          + Superfluous Decoding Vulnerability in IIS

            A serious vulnerability in Microsoft IIS may allow remote
            intruders to execute commands on an IIS web server. This
            vulnerability closely resembles a previous vulnerability in
            IIS that was widely exploited. The CERT/CC urges IIS
            administrators to take action to correct this vulnerability.

                      CERT Advisory CA-2001-12: Superfluous Decoding
                      Vulnerability in IIS

          + Buffer Overflow Vulnerability in Microsoft IIS 5.0

            A vulnerability exists in Microsoft IIS 5.0 running on
            Windows 2000 that allows a remote intruder to run arbitrary
            code on the victim machine, allowing them to gain complete
            administrative control of the machine. A proof-of-concept
            exploit is publicly available for this vulnerability, which
            increases the urgency that system administrators apply the

                      CERT Advisory CA-2001-10: Buffer Overflow
                      Vulnerability in Microsoft IIS 5.0

       Additional advice on securing IIS web servers is available from:

                Microsoft Technet Security Tools

    3. Exploitation of snmpXdmid

       The CERT/CC has received dozens of reports indicating that a
       vulnerability in snmpXdmid is being actively exploited.
       Exploitation of this vulnerability allows an intruder to gain
       privileged (root) access to the system.

                CERT Advisory CA-2001-05: Exploitation of snmpXdmid

    4. Exploitation of BIND Vulnerabilities

       On January 29, 2001, the CERT/CC published CERT Advisory
       CA-2001-02, detailing multiple vulnerabilities in multiple
       versions of ISC BIND nameserver software. Two of the
       vulnerabilities described in the advisory are still being actively
       exploited by the intruder community to compromise systems.

                CERT Incident Note IN-2001-03: Exploitation of BIND

                CERT Advisory CA-2001-02: Multiple Vulnerabilities in

    5. The "cheese" Worm

       The CERT/CC has observed in public and private reports a recent
       pattern of activity surrounding probes to TCP port 10008. We have
       obtained an artifact called the "cheese" worm which may contribute
       to this pattern.

                CERT Incident Note IN-2001-05: The "cheese" Worm

    6. Increase in Reconnaissance Activity

       Over the past several weeks, the CERT/CC has observed a
       significant increase in network reconnaissance activity. While
       some of this traffic may be attributed to the sadmind/IIS worm or
       the "cheese" worm, reports indicate active scanning for known
       vulnerabilities in other network services as well. In addition, we
       have seen a significant increase in the number of generalized port
       scans of hosts.

       In order to minimize exposure to this activity, the CERT/CC
       recommends that sites review and apply vendor-supplied security
       patches, disable non-critical network services, and actively
       monitor system and network logs for unusual activity.

    7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers

       A new vulnerability has been identified which is present when
       using random increments to constantly increase TCP ISN values over
       time. Systems are vulnerable if they have not incorporated RFC
       1948 or equivalent improvements, or do not use cryptographically
       secure network protocols like IPsec.

                CERT Advisory CA-2001-09: Statistical Weaknesses in
                TCP/IP Initial Sequence Numbers

  Collaboration between the CERT Coordination Center and the Internet Security

   Using its standard process for collaborating with industry
   organizations, the CERT/CC, as part of the SEI, has entered into an
   agreement with the Electronic Industries Alliance, a not-for-profit
   organization in Virginia, to support the activity of the Internet
   Security Alliance (ISA). ISA is a member organization that is focused
   on the overall improvement of Internet security.

          Internet Security Alliance

          Frequently Asked Questions (FAQ) about the collaboration
          between CERT Coordination Center and the Internet Security

What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
     * Incident Notes
     * CERT/CC Statistics
     * Annual Reports

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

    Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If you prefer to use DES, please call the CERT hotline for more

    Getting security information

   CERT publications and other security information are available from
   our web site


   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright ©2001 Carnegie Mellon University.

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key