-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2001.08 -- AUSCERT ALERT
Current widespread intruder activity against IIS and sunrpc
8 May 2001
===========================================================================
PROBLEM:
AusCERT has received increased numbers of reports of apparently
automated activity directed against vulnerable implementations
of Microsoft Internet Information Server (IIS) and Sun portmapper
(sunrpc) services on Internet hosts within Australia and New
Zealand over the past few days. Web site defacements have been
reported that may be a result of this activity.
The cause of this activity is believed to be a new worm that is
similar to 1i0n or Ramen. The worm is believed to operate by
compromising Solaris machines running vulnerable services
available via sunrpc. These compromised platforms are then used
to launch web defacement attacks utilising the "Unicode Bug"
against vulnerable IIS 4.0 and 5.0 servers.
The IIS attack is based on a relatively old vulnerability in
unpatched versions of Microsoft IIS 4.0 and IIS 5.0. This
vulnerability is more commonly known as the "Unicode Bug". More
information is available from the previous AusCERT Alert:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.02
and the AusCERT External Security Bulletin:
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.360
It appears that this attack is accompanied by attempts to exploit
services available via sunrpc (port 111) on Sun Solaris machines.
Information about the most recent vulnerabilities are in the
AusCERT External Security Bulletins:
ftp://ftp.auscert.org.au/pub/auscert/AA/AL-2001.06
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.132
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.222
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-1999.203
These attacks are currently widespread and AusCERT is releasing
this information to alert system administrators to this activity.
Member sites may wish to check their systems for evidence of
attacker activity directed at sunrpc services or malformed URL
requests directed at IIS servers.
PLATFORM:
For the sunrpc activity, currently only Solaris platforms which
have unpatched services available via sunrpc (port 111) may be
vulnerable to these attacks.
For the Unicode Bug, unpatched IIS 4.0 and 5.0 servers are
vulnerable to these attacks.
IMPACT:
Sun Solaris systems are being actively attacked and root
compromised.
Servers running IIS 4.0 and 5.0 are being actively attacked and
defaced.
RECOMMENDATIONS:
A. Patch Vulnerable Solaris Services
Solaris System Administrators are urged to check their systems for
insecure versions of sunrpc services as per AusCERT Alerts and
Bulletins available from:
ftp://ftp.auscert.org.au/pub/auscert/AA/AL-2001.06
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.132
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.222
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-1999.203
B. Patch Vulnerable Versions of IIS
Microsoft System Administrators are urged to check their systems
for insecure versions of IIS services as per AusCERT Alerts and
Bulletins available from:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.02
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.360
C. Consider Wrapping portmap
Administrators may wish to consider wrapping the portmap service
using tools such as portmapper as provided by Wietse Venema:
http://ftp.porcupine.org/pub/security/portmap_4.tar.gz
D. Check For Signs of Compromise
If you suspect that your site may have been compromised, we
encourage you to read:
ftp://ftp.auscert.org.au/pub/cert/tech_tips/intruder_detection_checklist
If your site has been compromised, we encourage you to read:
http://www.auscert.org.au/Information/Auscert_info/Papers/win-UNIX-system_compromise.html
AusCERT is currently monitoring this problem, if you detect your
systems have been compromised please contact AusCERT.
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOvgXaCh9+71yA2DNAQG56wP9HdNfMQZlCnDgDBoCGnNRi2eLAB0QRsqX
OYYR/ufK0oxcQIyvZoe+7JPB5MSX9jTp30d9eqHE3khkwHSZ2s9GqN7jbYxeD/IL
9wW/r/tk82PtrbbtDk/b2XJeNh/gLHgQRmK2xAK5qRM61J3Rkw2HGWP0CMPiWWxx
Dng6ZwQApV8=
=aPEl
-----END PGP SIGNATURE-----
Credits
-- UnKnown --
|