TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

INTERNET RISK UPDATE for 06-06-2002
ISS X-Force Internet Threat Intelligence Center

www.iss.net - Click on the AlertCon logo for more
information.

********************************************
ALERTCON 2
Projected: AlertCon 2
********************************************

ALERTCON 2 - We are at AlertCon level to 2
because of a serious vulnerability in the
Internet Software Consortium's (ISC) Berkeley
Internet Name Domain (BIND) concerning version 9,
below version 9.2.1. and Sun Solaris
vulnerabilities.

Vulnerabilities:

BIND: ISS X-Force has learned of a serious
vulnerability in ISC BIND 9 that may allow remote
attackers to disable BIND servers. ISC BIND and
its derivatives are the most prevalent DNS
(Domain Name Service) servers on the Internet.
DNS is used to translate IP addresses to their
corresponding host and domain names. Attackers
may use this vulnerability to scan for and
disable DNS servers. Impact: DNS is a core
component of the Internet and is responsible for
translating IP addresses into domain names for
all Internet-linked computers, including all Web
servers. If DNS is attacked locally or en masse,
it may result in local or widespread Internet
instability.

Solaris: Sun has announced an advisory for
vulnerabilities on the 'mibiisa' agent and the
'snmpdx' daemon. Both are processes that run on
port 161 for SNMP requests. These agents run as
daemons with root privileges on the system. A
format string vulnerability was discovered in the
'snmpdx' daemon and a buffer over flow was found
in 'mibiisa', which may be exploited by a remote
hacker to gain root access.

VIRUSES/WORMS: I have received several calls and
e-mails regarding a new Worm called VBS/VBSWG-AQ.
 This is a Visual Basic Worm and can be removed
like all other Worms. It's time once again to
advise people to disable VBS in clients that
don't need it. It is a common form of virus
executable that takes advantage of the default
"on" for .vbs in Microsoft software. Please
refer to the following site for disabling .vbs:
http://www.f-secure.com/virus-info/u-vbs
 
********************************************
RECOMMENDATIONS
********************************************

ISS X-Force recommends that all BIND
administrators upgrade to BIND version 9.2.1,
which has been available since May 2002. BIND
version 9.2.1 is available at the following:
http://www.isc.org/products/BIND/
http://www.iss.net/security_center/alerts/advise11
9.php

Solaris: Sun recommends that you install the
patches immediately on systems running the Sun
Solstice Enterprise Master Agent, snmpdx(1M), and
the Sun SNMP Agent, mibiisa(1M), on SunOS 5.8,
5.7, and 5.6.
<http://sunsolve.sun.com/pub-cgi/show.pl?target=pa
tches/patch-license&nav=pub-patches>

For a list of current vulnerabilities, please
see:
https://gtoc.iss.net/vulnerabilities.php

Information regarding viruses and worms please
see:
https://gtoc.iss.net/viruses.php

********************************************

FACTOID: President Bush will announce today the
creation of a new government agency that will
serve as a clearinghouse for intelligence
information on terrorism, administration sources
said. It is unclear how the new agency -- which
would collect and share information about
terrorist threats -- would interact with the
Office of Homeland Security; created in the wake
of the September 11 terrorist attacks.

********************************************
ATTACK SIGNATURE RANKING - global IDS, midnight -
midnight, previous
Day, % of total
********************************************

Suspicious Activity 37.91%
Protocol Decode 30.23%
Unauthorized Access Attempt 19.95%
Denial Of Service 05.99%
Pre-Attack Probe 05.76%
Back Door 00.16%

********************************************
TOP TEN ATTACK DESTINATION PORTS - global IDS,
midnight - midnight,
previous day, % of top ten (ports found at)
http://www.neohapsis.com/neolabs/neo-ports/neo-por
ts.html
********************************************

80 (http) 60.52%
1433 (SQL) 23.59%
25 (smtp) 05.29%
23 (telnet) 03.74%
21 (ftp) 02.01%
515 (printer) 01.57%
161 (SNMP) 01.18%
69 (tftp) 00.93%
53 (DNS) 00.61%
22 (ssh) 00.55%

********************************************
BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER
********************************************

Background. We provide this information in the
spirit of PDD 63 to
help security professionals wage the war against
Internet threats
more effectively. Information in this update
derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force
R&D Team research,
and professional liaison. Other sources as noted.
AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks
experienced by all
networks. AlertCon 2 means increased
vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means
increased attacks
against specific targets or vulnerabilities on a
scale that is
unusually high, action required. AlertCon 4
reflects an Internet
emergency for a target or group of targets whose
business continuity
may depend on some sort of immediate, decisive
action. All summaries
cover 24 hours the previous workday, GMT. Monday
summaries may cover
some weekend activity.

Copyright 2002 Internet Security Systems, Inc.
Permission is granted
for the redistribution of the Internet Risk
electronically.
It is not to be sold or edited in any way without
express consent of
ISS. Refer comments or questions to:
pgrayiss.net or dtreeceiss.net

Disclaimer: This information is subject to change
without notice. Use
of this information constitutes acceptance for
use in an 'as is'
condition. There are no warranties with regard to
this information.
In no event shall the author be liable for any
damages whatsoever
arising out of or in connection with the use or
spread of this
information. Any use of this information is at
the user's own risk.
No other use authorized. FOIA Exemption 4.

You can download the public key from MIT's PGP
key server and
PGP.com's key server.

Patrick Gray
Manager, X-Force
Internet Threat Intelligence Center
Internet Security Systems
6303 Barfield Road
Atlanta, GA 30328

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPP93yJG41ROSQPncEQJ9UQCeIivGDK6qf05KabQHZCPMy2KqWDQAoKyi
r9kZR66DZSGzkmmKKz7wpjXV
=yY19
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]