CERT Incident Note IN-98.02

New Tools Used For Widespread Scans

Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.

The tool uses both DNS zone transfers and/or brute force scanning of IP addresses to locate machines. Once machines are located, they are tested for a number of vulnerabilities.

The tool has the capability to test for the following vulnerabilities:

• statd vulnerability - see http://www.cert.org/advisories/CA-97.26.statd.html
• imap/pop3 vulnerabilities - see http://www.cert.org/advisories/CA-97.09.imap_pop.html
• IRIX machines that have accounts with no passwords - see http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html
• bind vulnerability - see http://www.cert.org/advisories/CA-98.05.bind_problems.html
• cgi-bin vulnerabilities - see http://www.cert.org/tech_tips/cgi_metacharacters.html
• phf - see http://www.cert.org/advisories/CA-96.06.cgi_example_code.html
• handler - see ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi
• test-cgi
• NFS filesystems exported to everyone
• X11 (open X servers)

The footprints of this attack are sequential connections to multiple hosts on one or more of the following TCP ports.

Port   Service
--------------
(23)   telnet
(53)   dns
(79)   finger
(80)   web
(110)  pop
(111)  SunRPC & NFS (UDP and TCP)
(143)  imap
(1080) socks
(2049) nfs (UDP)
(6000) X

We encourage sites to disable or add access control to DNS zone transfers. One way to do this is to filter port 53 (TCP) to prevent domain name service zone transfers and permit access to socket 53 (TCP) only from known secondary domain name servers.

We also urge you to filter/firewall all traffic except that which you explicitly decide to allow. Please look at our packet filtering tech tip for more information.

http://www.cert.org/tech_tips/packet_filtering.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 1998 Carnegie Mellon University.