CERT
 
US-CERT Vulnerability Notes Database CERT Statistics Vulnerability Disclosure Policy CERT Knowledgebase Courses Link to US-CERT cylab
 

Current Scanning Activity

Last updated: December 17, 2002

We receive many daily reports of scanning and probing activity. The most frequent reports tend to involve services that have well-known vulnerabilities. Internet hosts continue to be affected by exploitation of well-known vulnerabilities in many of these services.


Service Port/Protocol Related Information
ftp 21/tcp CA-2001-33: Multiple Vulnerabilities in WU-FTPD
IN-2001-01: Widespread Compromises via "ramen" Toolkit
IN-2000-10: Widespread Exploitation of rcp.statd and wu-ftpd Vulnerabilities
CA-2000-13: Two Input Validation Problems In FTPD
AA-2000.02: wu-ftpd "site exec" Vulnerability
CA-1999-13: Multiple Vulnerabilities in WU-FTPD
CA-1997-27: FTP Bounce
ssh 22/tcp CA-2001-35: Recent Activity Against Secure Shell Daemons
IN-2001-12: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector
CA-1999-15: Buffer Overflows in SSH Daemon and RSAREF2 Library
telnet 23/tcp IN-2000-09: Systems Compromised Through a Vulnerability in the IRIX telnet daemon
CA-2001-21: Buffer Overflow in telnetd
domain 53/tcp
53/udp 		CA-2002-15: Denial-of-Service Vulnerability in ISC BIND 9
CA-2001-02: Multiple Vulnerabilities in BIND
CA-2000-20: Multiple Denial-of-Service Problems in ISC BIND
IN-2000-04: Denial of Service Attacks using Nameservers
CA-2000-03: Continuing Compromises of Nameservers
CA-1999-14: Multiple Vulnerabilities in BIND
CA-1998-05: Multiple Vulnerabilities in BIND
http 80/tcp CA-2002-09: Multiple Vulnerabilities in Microsoft IIS
CA-2001-11: sadmind/IIS Worm
CA-2001-23: Continued Threat of the "Code Red" Worm
CA-2002-17: Apache Web Server Chunk Handling Vulnerability
"linuxconf" on some Linux distributions 98/tcp Some Linux distributions ship with linuxconf, a program which listens on TCP port 98. While we do not have any reports of intruders actively exploiting vulnerabilites in linuxconf, these probes may be used to identify linux machines that have other vulnerabilities.
pop3 110/tcp CA-1997-09: Vulnerability in IMAP and POP
sunrpc 111/tcp
111/udp 		CA-2001-11: sadmind/IIS Worm
CA-2001-05: Exploitation of snmpXdmid
IN-2001-01: Widespread Compromises via "ramen" Toolkit
IN-2000-10: Widespread Exploitation of rcp.statd and wu-ftpd Vulnerabilities
CA-2000-17: Input Validation Problem in rpc.statd
CA-1999-16: Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind
CA-1999-12: Buffer overflow in amd
CA-1999-08: Buffer Overflow Vulnerability in Calendar Manager Service Daemon, rpc.cmsd
CA-1999-05: Vulnerability in statd exposes vulnerability in automountd
CA-1998-12: Remotely Exploitable Buffer Overflow Vulnerability in mountd
CA-1998-11: Vulnerability in ToolTalk RPC service
netbios-ns
netbios-dgm
netbios-ssn 		137/udp
138/udp
139/tcp 		VU#250635: Microsoft Windows Server Message Block (SMB) fails to properly handle SMB_COM_TRANSACTION packets requesting NetServerEnum2 transaction
VU#311619: Microsoft Windows Server Message Block (SMB) fails to properly handle SMB_COM_TRANSACTION packets requesting NetServerEnum3 transaction
VU#342243: Microsoft Windows Server Message Block (SMB) fails to properly handle SMB_COM_TRANSACTION packets requesting NetShareEnum transaction
IN-2000-03: 911 Worm
IN-2000-02: Exploitation of Unprotected Windows Networking Shares
CA-2001-23: Continued Threat of the "Code Red" Worm
imap 143/tcp CA-1998-09: Buffer Overflow in Some Implementations of IMAP Servers
CA-1997-09: Vulnerability in IMAP and POP
snmp 161/udp CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)
microsoft-ds
 445/tcp
 VU#250635: Microsoft Windows Server Message Block (SMB) fails to properly handle SMB_COM_TRANSACTION packets requesting NetServerEnum2 transaction
VU#311619: Microsoft Windows Server Message Block (SMB) fails to properly handle SMB_COM_TRANSACTION packets requesting NetServerEnum3 transaction
VU#342243: Microsoft Windows Server Message Block (SMB) fails to properly handle SMB_COM_TRANSACTION packets requesting NetShareEnum transaction
IN-2002-06: W32/Lioten

We have received reports of widespread scanning and possible denial of service activity targeted at the microsoft-ds service on port 445/tcp. We are interested in receiving reports of this activity from sites with detailed logs and evidence of an attack. Please send all reports to cert@cert.org.
klogind
 543/tcp
 CA-2000-06: Multiple Buffer Overflows in Kerberos Authenticated Services
MS-SQL 1433/tcp IN-2002-04: Exploitation of Vulnerabilities in Microsoft SQL Server
IN-2001-13: "Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in MS-SQL
SGI objectserver 5135/tcp 20000303-01-PX: Vulnerability in IRIX 5.3 and 6.2 objectserver
CDE 6112/tcp CA-2002-01: Exploitation of Vulnerability in CDE Subprocess Control Service
CA-2001-31: Buffer Overflow in CDE Subprocess Control Service
SubSeven 27374/tcp IN-2001-07: W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses
ICMP echo
ICMP echo reply 		ICMP type 8
ICMP type 0 		CA-1998-01: Smurf IP Denial-of-Service Attacks

Copyright 2002 Carnegie Mellon University.

See the conditions for use, disclaimers, and copyright information.

CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office.