TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

INTERNET RISK UPDATE for 05-22-2002
ISS X-Force Internet Threat Intelligence Center

www.iss.net - Click on the AlertCon logo for more information.

********************************************
ALERTCON 2
Projected: AlertCon 2
********************************************

ALERTCON 2 - We have raised the AlertCon to 2 to draw attention to
the MS SQL Worm. AlertCon 2 means increased vigilance or action
required due to focused, patterned attacks.

Vulnerabilities:

It is reported that Cisco's IOS is vulnerable to a denial-of-service
attack using ICMP Redirect messages. When flooded with ICMP redirect
messages, the IOS uses up all its memory to store the new host
routes. The device is then unable to perform operations that need
additional memory such as receiving routing updates and accepting
inbound telnet(1) connections.

Ipswitch IMail is a Web-based mail server for Windows NT and 2000.
Versions 7.1 and earlier are vulnerable to a buffer overflow in the
LDAP service. By supplying an overly long "bind DN" parameter to the
LDAP service during simple authentication, a remote attacker could
overflow a buffer and execute arbitrary code on the system with
SYSTEM level privileges.

VIRUSES/WORMS:

MS SQL Worm: At least one worm is actively propagating via port 1433.
Once a system is compromised by using the default administrator
settings in SQL Server 7.0 and 2000, it adds a temporary account to
the local group administrator's list and then executes a Java Script
using a third party e-mail program which sends a password file and
then the victims network configuration settings to ixldtpostone.com.

W32/Benjamin.worm: To spread, the worm requires that the Kazaa
software be installed on the machine. It creates a directory called
%WINDIR%\TEMP\SYS32, and changes the Kazaa settings so that remote
users can download from this directory. Then it copies itself to that
directory under many different names that other users may search for.
The size of these files can vary since the worm pads them with
garbage bytes. This method of spreading is comparable to the VBS/GWV
worm. Another example of the problems associated with peer-to-peer
file sharing.

********************************************
RECOMMENDATIONS
********************************************
For the Ipswith Imail vulnerability, please refer to:
http://www.iss.net/security_center/static/9116.php

For the Cisco vulnerability, please refer to:
http://www.securiteam.com/securitynews/5OP0P0A75E.html

For a list of current vulnerabilities, please see:
https://gtoc.iss.net/vulnerabilities.php

For information on the MY SQL Worm, please refer to:
http://www.iss.net/security_center/alerts/advise118.php

For information on the Benjamin worm, please refer to:
http://vil.nai.com/vil/content/v_99495.htm

Information regarding viruses and worms please see:
https://gtoc.iss.net/viruses.php

********************************************

FACTOID: In a NETWORK WORLD survey, forty-three percent of the
respondents "agree" or "strongly agree" that wireless technology will
be a top IT priority this year. By contrast, 36% "disagree" or
"strongly disagree."

********************************************
ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous
Day, % of total
********************************************

Protocol Decode 38.93%
Unauthorized Access Attempt 28.28%
Suspicious Activity 23.44%
Denial Of Service 06.70%
Pre-Attack Probe 02.57%
Back Door 00.09%

********************************************
TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight,
previous day, % of top ten (ports found at)
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
********************************************

80 (http) 71.54%
1433 (SQL) 13.30%
25 (smtp) 07.50%
69 (tftp) 01.86%
161 (SNMP) 01.76%
515 (spooler) 01.22%
21 (ftp) 01.19%
139 (NetBIOS) 00.78%
53 (DNS) 00.47%
162 (SNMP Trap) 00.37%

********************************************
BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER
********************************************

Background. We provide this information in the spirit of PDD 63 to
help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2002 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to: pgrayiss.net or dtreeceiss.net

Disclaimer: This information is subject to change without notice. Use
of this information constitutes acceptance for use in an 'as is'
condition. There are no warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
No other use authorized. FOIA Exemption 4.

You can download the public key from MIT's PGP key server and
PGP.com's key server.

Carter Schoenberg
Senior Analyst
Internet Threat Intelligence Center
6303 Barfield Road
Atlanta, Georgia 30306
United States
(404) 236-4045 work
(404) 281-8296 cell
 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBPOuuaAtw29BQsC/uEQLQYACg7oEWJZl1QGT28lo7IGeVPO6zVwYAoOlQ
BGW+cfG17ftyjg0VxpxEmsPw
=NQBA
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]