CERT Incident Note IN-98.02The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
New Tools Used For Widespread ScansThursday, July 2, 1998
Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.
The tool uses both DNS zone transfers and/or brute force scanning of IP addresses to locate machines. Once machines are located, they are tested for a number of vulnerabilities.
The tool has the capability to test for the following vulnerabilities:
The footprints of this attack are sequential connections to multiple hosts on one or more of the following TCP ports.
Port Service -------------- (23) telnet (53) dns (79) finger (80) web (110) pop (111) SunRPC & NFS (UDP and TCP) (143) imap (1080) socks (2049) nfs (UDP) (6000) XAlso, requests for the phf, handler, and test-cgi CGI scripts may show up in web access logs.
We encourage sites to disable or add access control to DNS zone transfers. One way to do this is to filter port 53 (TCP) to prevent domain name service zone transfers and permit access to socket 53 (TCP) only from known secondary domain name servers.
We also urge you to filter/firewall all traffic except that which you explicitly decide to allow. Please look at our packet filtering tech tip for more information.
This document is available from: http://www.cert.org/incident_notes/IN-98.02.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1998 Carnegie Mellon University.