TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

INTERNET THREAT UPDATE for 01-14-2002
ISS X-Force Special Operations Group

www.iss.net - Click on 'Current Internet Threat' for more
information.

******************************************************
ALERTCON 1
Projected: AlertCon 1
******************************************************

ALERTCON 1 - AlertCon 1 reflects the malicious, determined, global,
24 x 7 attacks experienced by all networks.

NETSCAPE: Remote attackers can easily disable unpatched Netscape
Enterprise servers running on Windows NT/2000 with publishing
enabled. By grabbing http://server?wp-html-rend/ multiple times an
attack can crash the server remotely.

CODE RED VARIANT: Our Global Sensor database indicates an increase
in a new variant of the Code Red worm. Many systems have been
brought on-line since the initial outbreak last summer and are
vulnerable if the recommendations listed below are not followed.

LINUX: A vulnerability has been found in the XChat IRC client that
allows an attacker to take over the user's IRC session.

UNIX: A vulnerability in the AFTPD has been discovered that could
allow a remote user to gain elevated privileges. The problem
presents itself when a user accesses the ftp server via any type of
user account, either regular or anonymous.

VIRUSES/WORMS: Closely monitor your anti-virus vendor for up-to-date
solutions for current threats on a daily basis.
 

FACTOID: According to Computer Economics, the worldwide economic
impact of the Code Red worm was $2.62 billion.

COMMENTARY: While social engineering, viruses and hackers continue to
befuddle network administrators, laptops are considered to be an
extremely prized article for those with larceny in their hearts. Pay
close attention to where you place it when you travel, while you dine
out, or where it is placed in an automobile. The bad guys will have
no qualms about shattering a passenger window to extract an item that
could fetch them a good sum. Perhaps a hard-sided small suitcase
rather than the usual black nylon bag with the company logo on it
would be appropriate. Consider not only the cost of replacing the
machine but also consider the value of your company data contain in
the computer - can you replace that?

- ------------------------------------------------------
RECOMMENDATIONS
- ------------------------------------------------------

For the Netscape vulnerability, please refer to:
http://www.securiteam.com/securitynews/5VP0C0A60A.html

Regarding the Code Red variant, we recommend defensive vulnerability
scans be initiated and vendor patches be applied. Current anti-virus
solutions should detect this variant with existing signatures.

X-Force Advisory regarding the UPnP and IE 5.5 and 6.0 issues see:
http://xforce.iss.net/alerts/advise107.php
http://xforce.iss.net/alerts/advise106.php

For the Debian Advisory and solution, please see:
http://www.linuxsecurity.com/advisories/debian_advisory-1802.html

Information regarding the AFTPD Home Directory Change Core Dump
Vulnerability, please refer to:
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=discussion&
id=3806

For information regarding the bad AIM fix see:
http://www.computing.vnunet.com/News/1128120

For an excellent home/small office firewall solution, please see:
http://www.networkice.com/

For information on removing infected executable files, refer to:
http://www.sophos.com/support/faqs/filvir.html

For other current worms and viruses moving across the Internet see:
https://gtoc.iss.net/secure/viruses.php
http://www.antivirus.com/vinfo/

- ------------------------------------------------------
ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous
Day, % of total
- ------------------------------------------------------

Unauthorized Access Attempt 47.54%
Protocol Decode 28.14%
Denial Of Service 15.92%
Suspicious Activity 05.69%
Pre-Attack Probe 02.65%
Back Door 00.06%

- ------------------------------------------------------
TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight,
previous day, % of top ten (ports found at)
http://www.networkice.com/Advice/Exploits/Ports/default.htm
- ------------------------------------------------------

80 (http) 89.12%
1214 (unassigned) 01.98%
21 (ftp) 01.96%
22 (ssh) 01.92%
25 (smtp) 01.84%
69 (tftp) 01.15%
443 (ssl) 00.76%
515 (lp,lpr,printer) 00.53%
53 (DNS) 00.38%
161 (SNMP) 00.36%

- ------------------------------------------------------
BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER
- ------------------------------------------------------

Background. We provide this information in the spirit of PDD 63 to
help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2001 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to: pgrayiss.net or dtreeceiss.net

Disclaimer: This information is subject to change without notice. Use
of this information constitutes acceptance for use in an 'as is'
condition. There are no warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
No other use authorized. FOIA Exemption 4.

Patrick Gray
Manager, X-Force
Internet Threat Intelligence Center
Internet Security Systems
6303 Barfield Road
Atlanta, GA 30328

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPENTAZG41ROSQPncEQK38QCgy/M/pqY1Xca3j+j4tPVIRZN1jRoAoLT9
iUQ0zGMry9q/EHPIs6TawOCd
=1E3j
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]