TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Copyright 2001 Internet Security Systems (trademark) THE POWER TO
PROTECT

INTERNET THREAT & SOLUTIONS UPDATE for Oct 30th - Nov 1st, 2001
ISS X-Force Special Operations Group

- ----------------------------------------
CURRENT THREAT ASSESSMENT & THREAT FORECAST
- ----------------------------------------

AlertCon 2 Today, Oct 30th, 2001
AlertCon 2 For Oct 31st-Nov 1st, 2001
 
*************

- - We have raised to AlertCon 2 (increased vigilance) because of a
combination of potential threats that may need some action. We will
re-evaluate this tomorrow but for now we think it prudent to extend
this raised AlertCon out through mid-day on Thursday.

- - Added to the Port 22 ssh issues we raised yesterday (see solutions
below) we have the new Nimda-E variant that is showing a modest but
steady increase in activity. We also have an Oracle vulnerability that
could prove troublesome for those Oracle databases running in a Unix
environment. While none of these vulnerabilities by itself would be
cause for a raised AlertCon the combination of the three have
sufficient potential for harm to a fairly large audience of networks.

- -------------------------------------
SOLUTIONS
- -------------------------------------

- - SSH vulnerabilities.

- -- Verify the patches have been applied to your implementation of SSH
and consider limiting port access to just those IP addresses using SSH
to support your business requirements. The following are a few of the
advisories posted for the SSH vulnerabilities:

- -- SSH CRC32 attack detection code contains remote integer overflow
<http://www.kb.cert.org/vuls/id/945216>

- -- Remote vulnerabilities in OpenSSH
<http://linuxtoday.com/news_story.php3?ltsn=2001-10-25-001-20-SC>

- -- Multiple SSH Vulnerabilities
<http://www.cisco.com/warp/public/707/SSH-multiple-pub.html>

- -- SSH Secure Shell Authentication Bypass Vulnerability
<http://xforce.iss.net/alerts/advise88.php>

- -- OpenSSH - Possible to determine password length
<http://www.trustix.org/pipermail/tsl-announce/2001-March/000002.html>

- - Nimda-E Worm. This worm seeks the same vulnerabilities as earlier
versions of Nimda worm so those devices with the IIS patch installed
there is no new danger.

- -- Those relying on anti-virus solutions will need to pay attention
since the strings have changed and until your vendor catches up you
may be vulnerable.

- -- Far better to install the IIS and other relevant Microsoft patches
discussed in MS00-060, MS00-078, and MS01-020.

- -- Patch your Win 2K and NT machines from these links:

- --- Win 2K
<http://www.microsoft.com/windows2000/downloads/critical/q300972/defaul
t.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30800%26redi
rect%3Dno>

- --- Win NT
<http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/defau
lt.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30833%26red
irect%3Dno>

- --- Make sure Outlook is patched (MSO 01-020) and to ensure that you
have updated your IE Browser to ensure you're running IE 5.01 SP2, IE
5.5 SP2, or IE 6.0 to be sure you're not vulnerable, or apply the
MS01-027 patch (which supercedes MS01-020).

- - Oracle File Overwrite Security Vulnerability.

- -- Refer to CIAC bulletins as follows:
<http://www.ciac.org/ciac/bulletins/m-011.shtml>
<http://www.ciac.org/ciac/bulletins/m-012.shtml>

- -- The URL for downloading the patches is:
<http://metalink.oracle.com/>

- -- Workaround: Change the file permissions on the oracle executable as
follows: chmod o-x oracle
- - Oracle Trace Collection Security Vulnerability.

- -- Workaround: If the ORACLE_HOME environment variable is being
translated into a string of 240 or more bytes, disable Oracle Trace by
setting its control parameter in init<SID>.ora as follows:
oracle_trace_enable=FALSE

- -- Workaround: Change the file permissions on all of the Oracle Trace
executables as follows:

chmod -s otrccol otrccref otrcfmt otrcrep
chmod 751 otrccol otrccref otrcfmt otrcrep

- -------------------------------------
Attack Signature Ranking - global IDS, midnight - midnight, previous
day, % of total
- -------------------------------------

Unauth Access Attempt 38.99%
Suspicious Activity 28.50%
Protocol Decode 21.48%
Denial Of Service 08.36%
Pre-Attack Probe 02.67%
Back Door 00.01%

- -------------------------------------
Top Ten Attack Destination Ports - global IDS, midnight - midnight,
previous day, % of top ten (ports found at
<http://www.iana.org/assignments/port-numbers>
- -------------------------------------

80 (http) 93.17%
25 (smtp) 02.90%
21 (ftp) 02.18%
22 (ssh) 00.57%
443 (https) 00.32%
6723 (unassigned) 00.25%
12754 (unassigned) 00.17%
15104 (unassigned) 00.17%
123 (ntp) 00.14%
1500 (vlsi-lm) 00.14%

- ---------------------------------------
VIRUS, TOP 10 and NEW VULNERABILITIES, NEWS UPDATES
- ---------------------------------------

- - Visit <http://www.iss.net> under 'Global Internet Threat
Intelligence Service'

- - According to Sophos <http://www.sophos.com/virusinfo/topten/> the
top ten viruses in September 2001 were:

1. Nimda-A 71.2%
2. Sircam-A 11.4%
3. Magistr-A 03.7%
4. Magistr-B 03.0%
5. Hybris-B 01.5%
6. Apology-B 00.7%
7. VBS/Kakworm 00.7%
8. Floss 00.7%
9. Bymer-A 00.5%
10. Badtrans-A 00.4%

- ---------------------------------------
Defacement Watch based on www.alldas.de <http://www.alldas.de>
- ---------------------------------------

- - Their stats show that since April, 2000, the most defaced OS is
Windows, with a total of 15,585 defacements reported to Alldas.de, for
63% of the total. Although growing in popularity as a target, Linux is
a distant second with 4318 defacements reported for 17% of the total.

- - Alldas.de reports a total of 42 sites defaced yesterday. Details can
be seen at <http://www.alldas.de> under 'current month'. A review of
the 42 mirrors shows five with anti-government/anti-war statements.
Four of the mirrors showed typical hacker propaganda. Anti India Crew
had a long piece on the difference between hacking and terrorism.
There was a single Halloween message and one Serbian group's message.
The remaining 30 were of the juvenile hacker, politically neutral
variety. As usual, the defaced sites seemed unrelated to the
defacement message content; merely targets of opportunity. For
example, the AIC target looks like a school library web site in
Billings, Montana (site is still down so couldn't be verified).

- ---------------------------------------
NOTES, COPYRIGHT NOTICE, and DISCLAIMER
- ---------------------------------------

NOTE 1: Our web site has this information in more attractive format
and graphics available to the public at no cost at www.iss.net
<http://www.iss.net> under 'Global Internet Threat Intelligence
Service' <https://gtoc.iss.net/secure/whatshot.php> Screen captures
(Control/PrtSc) of the site's pages dropped into PowerPoint can be an
effective way to communicate various aspects of the Internet threat,
e.g. the graph depicting 'AlertCon Trends'
<https://gtoc.iss.net/secure/graph.html>

NOTE 2: We provide this information on Internet threat metrics,
viruses, vulnerabilities, patches, and breaking news, in the spirit of
PDD 63, to help security professionals wage the war against Internet
threats more effectively. Information in this update derived primarily
from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team
research, and professional liaison. Other sources as noted. AlertCon 1
reflects the global, malicious, determined, 24 x 7 attacks experienced
by all networks. AlertCon 2 means increased vigilance/action
recommended due to a specific threat or concern. AlertCon 3 means
increased attacks against specific targets or vulnerabilities on a
scale that is unusually high, action required. AlertCon 4 reflects an
Internet emergency for a target or group of targets whose business
continuity may depend on some sort of immediate, decisive action. All
summaries cover 24 hours the previous workday, GMT. Monday summaries
may cover some weekend activity.

Copyright 2001 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to dtreeceiss.net mailto:
dtreeceiss.net <mailto:dtreeceiss.net>

Disclaimer: This information is subject to change without notice. Use
of this information constitutes acceptance for use in an 'as is'
condition. There are no warranties with regard to this information. In
no event shall the author be liable for any damages whatsoever arising
out of or in connection with the use or spread of this information.
Any use of this information is at the user's own risk. No other use
authorized. FOIA Exemption 4.

Dennis
Dennis Treece
Director,
Global MSS Special Operations Group
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, Georgia 30328
404-236-4065
Cell 404-667-9345
Fax 404-236-2626

Internet Security Systems -- The Power to Protect

Confidentiality Notice: This message is being sent by or on behalf of
a network security professional. It is intended exclusively for the
individual to whom it is addressed. This communication may contain
information that is proprietary, privileged or confidential.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQA/AwUBO97gteOOe/7N9KJeEQIZoQCg0YUAQx2yxOp9QHMZTq9nuZpDD6IAn3EV
fKvSdov4zsQm1vuqYyuxbHVt
=s0xK
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]