Current Activity Calendar
May 2003
Su M Tu W Th F Sa
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    May 5, 2003 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

      Buffer Overflow Vulnerability in Core Windows DLL
      Increased Activity Targeting Windows Shares
      Ongoing exploitation of systems running Microsoft SQL Server
      Ongoing NetBIOS scanning


    Buffer Overflow Vulnerability in Core Windows DLL
    added March 19

    A buffer overflow vulnerability exists in ntdll.dll. This vulnerability may allow a remote attacker to execute arbitrary code on the victim machine.

    An exploit is publicly available for this vulnerability which increases the urgency that system administrators apply a patch. The CERT/CC strongly encourages sites Windows to read CERT Advisory CA-2003-09, examine their systems for signs of compromise and apply the appropriate patch as soon as possible.


    Increased Activity Targeting Windows Shares
    updated March 13 | portions added March 10, March 13

    The CERT/CC has received reports of propagation of a worm known as W32.Deloder as well as other malicious code which exploit network shares with null or weak Administrator passwords on Windows 2000/XP systems. This malicious code propagates via port 445/tcp and often installs backdoor applications on compromised systems. Additional details can be found in CERT Advisory CA-2003-08.


    Ongoing exploitation of systems running Microsoft SQL Server
    updated February 06    |    portions added May 21 2002; January 25 2003

    The CERT/CC continues to receive reports of traffic as a result of the SQL 'Slammer' or 'Sapphire' worm. The propagation of this malicious code has caused varied levels of network degradation across the Internet and the compromise of vulnerable machines. More information about this worm is available in CERT Advisory CA-2003-04.

    In addition to the compromise of systems by the Slammer worm, the CERT/CC continues to receive reports of systems being compromised through the automated exploitation of null or weak default sa passwords in Microsoft SQL Server and Microsoft Data Engine.This activity may be related to other self-propagating malicious code, referred to by various sources as Spida, SQLsnake, and Digispid or could be manual exploitation by an intruder. For more information, please see CERT Incident Note IN-2002-04.

    We have also received reports that describe activity potentially related to the vulnerabilities described in Microsoft Security Bulletin MS02-020; however, we have been unable to confirm these reports.

    The CERT/CC strongly encourages sites running Microsoft SQL Server or Microsoft Data Engine enabled products to examine their systems and apply current patches to prevent exploitation.


    Ongoing NetBIOS Scanning
    updated February 06    |    added December 06 2002

    The CERT/CC continues to receive reports of significant scanning activity targetting NetBIOS services (ports 137/udp and 445/tcp). It appears that much of this scanning is attempting to exploit unprotected windows shares (CERT Incident Note IN-2000-02).