MS-028.062001: MyCERT SummaryOriginal Issue Date: 30th June 2001
Each quarter, MyCERT issues the MyCERT Summary to highlight the types of attacks reported to us, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems, which includes patches.
For the past three months, beginning of April until June this year, MyCERT has been receiving over 80 reports involving WinNT IIS 4.0 and Windows 2000 IIS 5.0, the Microsoft IIS Extended Unicode Traversal Vulnerability exploit and about 5 reports involving Linux Redhat 6.2 wuftpd exploits and implanted rootkits. We have also seen significant increase in reconnaisance activity, involving intrusion and Denial of Service attempts.
The exploits had been targeted at mainly web servers with web defacing motives. Next common targets are Linux machines for the purpose of running eggbots and irc proxies. Detection of intrusion ranges from added userids to verification of rootkit binaries. Systems will be fully controlled by the intruder upon successful compromise.
IIS 4.0/5.0 Web Defacement
Systems running unpatched WinNT IIS 4.0/5.0, Windows 2000 IIS 5.0 are vulnerable to Microsoft IIS Extended Unicode Traversal Vulnerability as detailed out in the MyCERT Advisory below:
To detect such attacks log reviewing is necessary, in which audit trails are logged by date.
For IIS 4.0, the logs can be retrieved at the following directory:
For IIS 5.0, you can retrieve the log at this directory:
The sign of the intrusion will be similar to the followings:
xx.xx.xx.xx, -, 6/10/01, 2:01:35, W3SVC, , 47, 443, 331, 200, 0,
System owners running IIS 4.0/IIS 5.0 are urged to patch the vulnerability immediately, detail information on patching this vulnerability is available at:
System owners are also strongly adviced to further enhance the security of all Microsoft Windows operating system, i.e. hardening the system registries and access control policy. Please refer to these links for guidelines:
Multiple Linux platform exploit
Systems running unpatched Redhat Linux version 6.2 or less are vulnerable to wu-ftpd remote format string stack overwrite vulnerability and multiple linux vendor rpc_statd remote format string vulnerability. The vulnerabilities allow a remote user to gain root access to the server merely via anonymous FTP. Subsequent to these compromises, rootkits will be implanted and the system will be fully controlled by the intruder.
Those supporting multiple Linux platform are advised to refer to the following advisories on upgrades and configuration fixes.
- Wu-Ftpd Remote Format String Stack Overwrite Vulnerability
- Multiple Linux Vendor rpc_statd Remote Format String Vulnerability
The versions of rootkit discovered by MyCERT during analysis of the victim's machines are the t0rnkit, lrk and adore. Detail information on rootkit, detection, removal steps and preventive measures are available in MyCERT's Advisory at:
System owners are advised to monitor all activities taking place in their systems and networks, and be alert and sensitive to any abnormal activities on the systems and networks. In addition, System owners should keep uptodate with the latest patches and also look close on any latest announcements of recently discovered vulnerabilities. MyCERT also constantly updates latest information on recent vulnerabilities and patches.
More information and advisories are available at: http://www.mycert.org.my