=============================================================================
Alert to Network Service Providers - Widespread attacks on Internet sites
CERT Coordination Center
December 18, 1995
=============================================================================
Over the last several weeks, the CERT Coordination Center has been
working on related incidents where the intruders have launched
widespread attacks against Internet sites. Due to the scope of this
incident, we ask that you alert your customers/constituency as soon as
possible, and urge them to take action to ensure that systems are
protected against these attacks. Please feel free to redistribute
this message.
Hundreds of sites have been attacked, and many of the attacks have
been successful, resulting in root compromises at the targeted sites.
We are working directly with the root-compromised sites.
We continue to receive reports, and we believe that more attacks are
going undetected.
**************************************************************************
NOTE -- all of the vulnerabilities exploited in this attack are known,
and are addressed by CERT advisories.
**************************************************************************
The MO of the attacks and advisories that address these vulnerabilities
are listed below. We cannot emphasize enough the importance of
taking the actions suggested in these advisories and README files.
- using automated tools to scan sites for NFS and NIS
vulnerabilities
* CA-94:15.NFS.Vulnerabilities and CA-94:15.README
* CA-92:13.SunOS.NIS.vulnerability
- exploiting the rpc.ypupdated vulnerability to gain root
access
* CA-95:17.rpc.ypupdated.vul and CA-95:17.README
- exploiting the loadmodule vulnerability to gain root access
* CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability,
CA-95:12.sun.loadmodule.vul and CA-95:12.README
- installing Trojan horse programs and packet sniffers
* CA-94:01.ongoing.network.monitoring.attacks and
CA-94:01.README
- launching IP spoofing attacks
* CA-95:01.IP.spoofing and CA-95:01.README
The CERT advisories and README files are available from:
ftp://info.cert.org:/pub/cert_advisories
Please feel free to forward this alert to other providers of Internet
services, in addition to notifying your customers/constituents of this
attack.
We will also be launching CERT advisory CA-95:18.widespread.attacks
this morning. I have appended a copy of this advisory below.
Communicating with us
- ----------------------
Warning: For sensitive information, use encrypted email. You will find
the CERT public PGP key at the end of this document. If you would
prefer to use DES, please call the CERT hotline:
+1 412 268 7090
to exchange a DES key over the phone.
If you or one of your customers find a compromise, please complete and
return the Incident Reporting Form (IRF) appended below. This
completed form will help us better assist you.
Because of our workload, we must ask you not to send log files of
activity, but we would be happy to work with you as needed on how to
interpret data that you may collect.
If you see activity that indicates an attack is in progress, we
encourage you to contact your customer, or other sites involved or
their service provider. We will also be happy to provide guidance and
advice, if needed, on how to handle incidents and work with law
enforcement.
CERT Public Key
- ----------------------
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAi2a4WoAAAEEAN0IPkqCmoGRud0Kts3g4ZGgZ4zyqY8C5VTOgUcqU+D2U1so
21K6dxj/lewKFduXtNpqDeg6C0wR6GIMJ2jWLU4GUEq0xHohioWGGg5O3QTvCpN3
rnLIKO9urv4Wjgkp1n1ys7xcOYl5jb7kuhdlXs3kNgKi4zBB5XVP+x0t4w7BAAUR
tChDRVJUIENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+iQCVAgUQ
LZrkOXVP+x0t4w7BAQEI3QP/d9gl7GD52Pd8KbsBMb0hiploigL8kZW1Q1fVsIm1
cO9xumU89CLf2jrN+IdrIMpVWAO3DyJjZooZTaJBg/9jjv3HltHTq/XFD5c+WYlM
G+fQZVuR8qu8+D8P8pPbNVm94wxj9fyKO39/dnub1UfjDedJBtt+zgMJmstADkOv
QBM=
=N6E5
- -----END PGP PUBLIC KEY BLOCK-----
Incident Reporting Form
- ----------------------
Please complete this form if you are reporting a compromise.
CERT(sm) Coordination Center
Incident Reporting Form
CERT has developed the following form in an effort to facilitate our
interaction with members of the Internet community. We would appreciate
your completing the form included below in as much detail as possible.
The information is optional, but the more information you can provide,
the better we will be able to assist you.
Note that our policy is to keep confidential any information you provide
unless we receive your permission to release that information. (See questions
8 and 11 below.)
Please feel free to duplicate any section as required. Please return
this form to cert@cert.org. If you are unable to e-mail this form,
please send it via FAX. Our FAX telephone number is +1 412-268-6989.
Thank you for your cooperation and help.
1) Incident number (after assigned by CERT):
2) Reporting site information
Organizational Name (e.g. CERT Coordination Center):
Domain Name (e.g. cert.org):
3) Your contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
4) Additional contact information (if available)
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
5) Compromised host(s) at your site (one entry per host please)
Hostname:
IP address:
Vendor:
Hardware:
OS:
Version:
Security patches applied:
6) Please list the other sites compromised that you have notified, and
the contact information for each site (one entry per site please)
Hostname:
IP address:
Contact information:
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, for CERT internal use only):
7) Please list the other sites compromised that you have not yet
notified (one entry per site please)
Hostname:
IP address:
Contact information (if available):
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
8) Would you be willing to contact these sites if CERT provided you
the relevant contact information (Yes/No):
Or, can CERT give your contact information to these sites when we
contact them (Yes/No):
9) Incident category (Yes/No)
Probe:
Prank:
Mail Spoofing:
Break-in:
Installed Trojan Horse:
Intruder gained root access:
NIS (yellow pages) attack:
NFS attack:
TFTP attack:
FTP attack:
Telnet attack:
Rlogin or rsh attack:
Product vulnerability:
Worm:
Virus:
Other (please specify):
10) Are you currently using (Yes/No/Periodically)
COPS (The Computer Oracle and Password System):
TCP access control using packet filtering:
Host access control via modified daemons or wrappers:
Crack:
Tripwire:
Proactive password checkers (e.g. npasswd, passwd+):
Shadow passwords:
Other (please specify):
11) Miscellaneous
Please specify any other incident response team(s) you have
contacted
Team:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted another incident response team,
could we give them your contact information (Yes/No):
Please specify any law enforcement agency(ies) you have
contacted
Agency:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted any law enforcement agency, could we
give them your contact information, if necessary (Yes/No):
12) Detailed description of incident (e.g. method of intrusion, etc)
13) What assistance would you like from CERT?
Copyright 1995 Carnegie Mellon University
This form may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the CERT Coordination Center is
acknowledged.
CERT is a service mark of Carnegie Mellon University.
=============================================================================
CA-95:18 CERT Advisory
December 18, 1995
Widespread Attacks on Internet Sites
-----------------------------------------------------------------------------
Over the last several weeks, the CERT Coordination Center has been working on
a set of incidents in which the intruders have launched widespread attacks
against Internet sites. Hundreds of sites have been attacked, and many of the
attacks have been successful, resulting in root compromises at the targeted
sites. We continue to receive reports, and we believe that more attacks are
going undetected.
**********************************************************************
All the vulnerabilities exploited in these attacks are known, and are
addressed by CERT advisories (see Section III).
**********************************************************************
We urge everyone to obtain these advisories and take action to ensure
that systems are protected against these attacks. Also, please feel
free to redistribute this message.
As we receive additional information relating to this advisory, we
will place it in
ftp://info.cert.org/pub/cert_advisories/CA-95:18.README
We encourage you to check our README files regularly for updates on
advisories that relate to your site.
-----------------------------------------------------------------------------
I. Description
Intruders are doing the following:
- using automated tools to scan sites for NFS and NIS vulnerabilities
- exploiting the rpc.ypupdated vulnerability to gain root access
- exploiting the loadmodule vulnerability to gain root access
- installing Trojan horse programs and packet sniffers
- launching IP spoofing attacks
II. Impact
Successful exploitation of the vulnerabilities can result in unauthorized
root access.
III. Solution
The CERT staff urges you to immediately take the steps described in
the advisories and README files listed below. Note that it is important
to check README files as they contain updated information we received
after the advisory was published.
a. Using automated tools to scan sites for NFS and NIS vulnerabilities
* CA-94:15.NFS.Vulnerabilities
* CA-94:15.README
* CA-92:13.SunOS.NIS.vulnerability
b. Exploiting the rpc.ypupdated vulnerability to gain root access
* CA-95:17.rpc.ypupdated.vul
* CA-95:17.README
c. Exploiting the loadmodule vulnerability to gain root access
* CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability
* CA-95:12.sun.loadmodule.vul
* CA-95:12.README
d. Installing Trojan horse programs and packet sniffers
* CA-94:01.ongoing.network.monitoring.attacks
* CA-94:01.README
e. Launching IP spoofing attacks
* CA-95:01.IP.spoofing
* CA-95:01.README
The CERT advisories and README files are available from
ftp://info.cert.org/pub/cert_advisories
If you find a compromise, please complete the Incident Reporting Form
that we have provided in the appendix of this advisory, and return the
form to cert@cert.org. This completed form will help us better assist
you.
Note: Because of our workload, we must ask you not to send log files of
activity, but we would be happy to work with you as needed on how to
interpret data that you may collect. Also, the CERT staff can provide
guidance and advice, if needed, on how to handle incidents and work with
law enforcement.
If you see activity that indicates an attack is in progress, we encourage
you to contact other sites involved and the service providers, as well as
the CERT Coordination Center.
---------------------------------------------------------------------------
Contacting the CERT Coordination Center
For sensitive information, please use encrypted email.
The CERT public PGP key is available from
ftp://info.cert.org/pub/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline
+1 412 268 7090
to exchange a DES key over the phone.
Other CERT contact information:
Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
Postal address: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.
Past CERT publications, information about FIRST representatives, and
other information related to computer security are available from
ftp://info.cert.org/pub/
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
..............................................................................
Appendix: Incident Reporting Form
(also available from ftp://info.cert.org/pub/incident.reporting.form)
CERT(sm) Coordination Center
Incident Reporting Form
CERT has developed the following form in an effort to facilitate our
interaction with members of the Internet community. We would appreciate your
completing the form included below in as much detail as possible. The
information is optional, but the more information you can provide, the better
we will be able to assist you.
Note that our policy is to keep confidential any information you provide
unless we receive your permission to release that information. (See questions
8 and 11 below.)
Please feel free to duplicate any section as required. Please return
this form to cert@cert.org. If you are unable to e-mail this form,
please send it via FAX. Our FAX telephone number is +1 412-268-6989.
Thank you for your cooperation and help.
1) Incident number (assigned by CERT): CERT#
2) Reporting site information
Organizational Name (e.g. CERT Coordination Center):
Domain Name (e.g. cert.org):
3) Your contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
4) Additional contact information (if available)
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
5) Compromised host(s) at your site (one entry per host please)
Hostname:
IP address:
Vendor:
Hardware:
OS:
Version:
Security patches applied:
6) Please list the other sites compromised that you have notified, and
the contact information for each site (one entry per site please)
Hostname:
IP address:
Contact information:
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, for CERT internal use only):
7) Please list the other sites compromised that you have not yet
notified (one entry per site please)
Hostname:
IP address:
Contact information (if available):
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
8) Would you be willing to contact these sites if CERT provided you
the relevant contact information (Yes/No):
Or, can CERT give your contact information to these sites when we
contact them (Yes/No):
9) Incident category (Yes/No)
Probe:
Prank:
Mail Spoofing:
Break-in:
Installed Trojan Horse:
Intruder gained root access:
NIS (yellow pages) attack:
NFS attack:
TFTP attack:
FTP attack:
Telnet attack:
Rlogin or rsh attack:
Product vulnerability:
Worm:
Virus:
Other (please specify):
10) Are you currently using (Yes/No/Periodically)
COPS (The Computer Oracle and Password System):
TCP access control using packet filtering:
Host access control via modified daemons or wrappers:
Crack:
Tripwire:
Proactive password checkers (e.g. npasswd, passwd+):
Shadow passwords:
Other (please specify):
11) Miscellaneous
Please specify any other incident response team(s) you have
contacted
Team:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted another incident response team,
could we give them your contact information (Yes/No):
Please specify any law enforcement agency(ies) you have
contacted
Agency:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted any law enforcement agency, could we
give them your contact information, if necessary (Yes/No):
12) Detailed description of incident (e.g. method of intrusion, etc)
13) What assistance would you like from CERT?
Copyright 1995 Carnegie Mellon University
This form may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the CERT Coordination Center is
acknowledged.
CERT is a service mark of Carnegie Mellon University.
Alert to Network Service Providers - Widespread attacks on Internet sites
CERT Coordination Center
December 18, 1995
=============================================================================
Over the last several weeks, the CERT Coordination Center has been
working on related incidents where the intruders have launched
widespread attacks against Internet sites. Due to the scope of this
incident, we ask that you alert your customers/constituency as soon as
possible, and urge them to take action to ensure that systems are
protected against these attacks. Please feel free to redistribute
this message.
Hundreds of sites have been attacked, and many of the attacks have
been successful, resulting in root compromises at the targeted sites.
We are working directly with the root-compromised sites.
We continue to receive reports, and we believe that more attacks are
going undetected.
**************************************************************************
NOTE -- all of the vulnerabilities exploited in this attack are known,
and are addressed by CERT advisories.
**************************************************************************
The MO of the attacks and advisories that address these vulnerabilities
are listed below. We cannot emphasize enough the importance of
taking the actions suggested in these advisories and README files.
- using automated tools to scan sites for NFS and NIS
vulnerabilities
* CA-94:15.NFS.Vulnerabilities and CA-94:15.README
* CA-92:13.SunOS.NIS.vulnerability
- exploiting the rpc.ypupdated vulnerability to gain root
access
* CA-95:17.rpc.ypupdated.vul and CA-95:17.README
- exploiting the loadmodule vulnerability to gain root access
* CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability,
CA-95:12.sun.loadmodule.vul and CA-95:12.README
- installing Trojan horse programs and packet sniffers
* CA-94:01.ongoing.network.monitoring.attacks and
CA-94:01.README
- launching IP spoofing attacks
* CA-95:01.IP.spoofing and CA-95:01.README
The CERT advisories and README files are available from:
ftp://info.cert.org:/pub/cert_advisories
Please feel free to forward this alert to other providers of Internet
services, in addition to notifying your customers/constituents of this
attack.
We will also be launching CERT advisory CA-95:18.widespread.attacks
this morning. I have appended a copy of this advisory below.
Communicating with us
- ----------------------
Warning: For sensitive information, use encrypted email. You will find
the CERT public PGP key at the end of this document. If you would
prefer to use DES, please call the CERT hotline:
+1 412 268 7090
to exchange a DES key over the phone.
If you or one of your customers find a compromise, please complete and
return the Incident Reporting Form (IRF) appended below. This
completed form will help us better assist you.
Because of our workload, we must ask you not to send log files of
activity, but we would be happy to work with you as needed on how to
interpret data that you may collect.
If you see activity that indicates an attack is in progress, we
encourage you to contact your customer, or other sites involved or
their service provider. We will also be happy to provide guidance and
advice, if needed, on how to handle incidents and work with law
enforcement.
CERT Public Key
- ----------------------
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAi2a4WoAAAEEAN0IPkqCmoGRud0Kts3g4ZGgZ4zyqY8C5VTOgUcqU+D2U1so
21K6dxj/lewKFduXtNpqDeg6C0wR6GIMJ2jWLU4GUEq0xHohioWGGg5O3QTvCpN3
rnLIKO9urv4Wjgkp1n1ys7xcOYl5jb7kuhdlXs3kNgKi4zBB5XVP+x0t4w7BAAUR
tChDRVJUIENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+iQCVAgUQ
LZrkOXVP+x0t4w7BAQEI3QP/d9gl7GD52Pd8KbsBMb0hiploigL8kZW1Q1fVsIm1
cO9xumU89CLf2jrN+IdrIMpVWAO3DyJjZooZTaJBg/9jjv3HltHTq/XFD5c+WYlM
G+fQZVuR8qu8+D8P8pPbNVm94wxj9fyKO39/dnub1UfjDedJBtt+zgMJmstADkOv
QBM=
=N6E5
- -----END PGP PUBLIC KEY BLOCK-----
Incident Reporting Form
- ----------------------
Please complete this form if you are reporting a compromise.
CERT(sm) Coordination Center
Incident Reporting Form
CERT has developed the following form in an effort to facilitate our
interaction with members of the Internet community. We would appreciate
your completing the form included below in as much detail as possible.
The information is optional, but the more information you can provide,
the better we will be able to assist you.
Note that our policy is to keep confidential any information you provide
unless we receive your permission to release that information. (See questions
8 and 11 below.)
Please feel free to duplicate any section as required. Please return
this form to cert@cert.org. If you are unable to e-mail this form,
please send it via FAX. Our FAX telephone number is +1 412-268-6989.
Thank you for your cooperation and help.
1) Incident number (after assigned by CERT):
2) Reporting site information
Organizational Name (e.g. CERT Coordination Center):
Domain Name (e.g. cert.org):
3) Your contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
4) Additional contact information (if available)
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
5) Compromised host(s) at your site (one entry per host please)
Hostname:
IP address:
Vendor:
Hardware:
OS:
Version:
Security patches applied:
6) Please list the other sites compromised that you have notified, and
the contact information for each site (one entry per site please)
Hostname:
IP address:
Contact information:
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, for CERT internal use only):
7) Please list the other sites compromised that you have not yet
notified (one entry per site please)
Hostname:
IP address:
Contact information (if available):
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
8) Would you be willing to contact these sites if CERT provided you
the relevant contact information (Yes/No):
Or, can CERT give your contact information to these sites when we
contact them (Yes/No):
9) Incident category (Yes/No)
Probe:
Prank:
Mail Spoofing:
Break-in:
Installed Trojan Horse:
Intruder gained root access:
NIS (yellow pages) attack:
NFS attack:
TFTP attack:
FTP attack:
Telnet attack:
Rlogin or rsh attack:
Product vulnerability:
Worm:
Virus:
Other (please specify):
10) Are you currently using (Yes/No/Periodically)
COPS (The Computer Oracle and Password System):
TCP access control using packet filtering:
Host access control via modified daemons or wrappers:
Crack:
Tripwire:
Proactive password checkers (e.g. npasswd, passwd+):
Shadow passwords:
Other (please specify):
11) Miscellaneous
Please specify any other incident response team(s) you have
contacted
Team:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted another incident response team,
could we give them your contact information (Yes/No):
Please specify any law enforcement agency(ies) you have
contacted
Agency:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted any law enforcement agency, could we
give them your contact information, if necessary (Yes/No):
12) Detailed description of incident (e.g. method of intrusion, etc)
13) What assistance would you like from CERT?
Copyright 1995 Carnegie Mellon University
This form may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the CERT Coordination Center is
acknowledged.
CERT is a service mark of Carnegie Mellon University.
=============================================================================
CA-95:18 CERT Advisory
December 18, 1995
Widespread Attacks on Internet Sites
-----------------------------------------------------------------------------
Over the last several weeks, the CERT Coordination Center has been working on
a set of incidents in which the intruders have launched widespread attacks
against Internet sites. Hundreds of sites have been attacked, and many of the
attacks have been successful, resulting in root compromises at the targeted
sites. We continue to receive reports, and we believe that more attacks are
going undetected.
**********************************************************************
All the vulnerabilities exploited in these attacks are known, and are
addressed by CERT advisories (see Section III).
**********************************************************************
We urge everyone to obtain these advisories and take action to ensure
that systems are protected against these attacks. Also, please feel
free to redistribute this message.
As we receive additional information relating to this advisory, we
will place it in
ftp://info.cert.org/pub/cert_advisories/CA-95:18.README
We encourage you to check our README files regularly for updates on
advisories that relate to your site.
-----------------------------------------------------------------------------
I. Description
Intruders are doing the following:
- using automated tools to scan sites for NFS and NIS vulnerabilities
- exploiting the rpc.ypupdated vulnerability to gain root access
- exploiting the loadmodule vulnerability to gain root access
- installing Trojan horse programs and packet sniffers
- launching IP spoofing attacks
II. Impact
Successful exploitation of the vulnerabilities can result in unauthorized
root access.
III. Solution
The CERT staff urges you to immediately take the steps described in
the advisories and README files listed below. Note that it is important
to check README files as they contain updated information we received
after the advisory was published.
a. Using automated tools to scan sites for NFS and NIS vulnerabilities
* CA-94:15.NFS.Vulnerabilities
* CA-94:15.README
* CA-92:13.SunOS.NIS.vulnerability
b. Exploiting the rpc.ypupdated vulnerability to gain root access
* CA-95:17.rpc.ypupdated.vul
* CA-95:17.README
c. Exploiting the loadmodule vulnerability to gain root access
* CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability
* CA-95:12.sun.loadmodule.vul
* CA-95:12.README
d. Installing Trojan horse programs and packet sniffers
* CA-94:01.ongoing.network.monitoring.attacks
* CA-94:01.README
e. Launching IP spoofing attacks
* CA-95:01.IP.spoofing
* CA-95:01.README
The CERT advisories and README files are available from
ftp://info.cert.org/pub/cert_advisories
If you find a compromise, please complete the Incident Reporting Form
that we have provided in the appendix of this advisory, and return the
form to cert@cert.org. This completed form will help us better assist
you.
Note: Because of our workload, we must ask you not to send log files of
activity, but we would be happy to work with you as needed on how to
interpret data that you may collect. Also, the CERT staff can provide
guidance and advice, if needed, on how to handle incidents and work with
law enforcement.
If you see activity that indicates an attack is in progress, we encourage
you to contact other sites involved and the service providers, as well as
the CERT Coordination Center.
---------------------------------------------------------------------------
Contacting the CERT Coordination Center
For sensitive information, please use encrypted email.
The CERT public PGP key is available from
ftp://info.cert.org/pub/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline
+1 412 268 7090
to exchange a DES key over the phone.
Other CERT contact information:
Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
Postal address: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.
Past CERT publications, information about FIRST representatives, and
other information related to computer security are available from
ftp://info.cert.org/pub/
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
..............................................................................
Appendix: Incident Reporting Form
(also available from ftp://info.cert.org/pub/incident.reporting.form)
CERT(sm) Coordination Center
Incident Reporting Form
CERT has developed the following form in an effort to facilitate our
interaction with members of the Internet community. We would appreciate your
completing the form included below in as much detail as possible. The
information is optional, but the more information you can provide, the better
we will be able to assist you.
Note that our policy is to keep confidential any information you provide
unless we receive your permission to release that information. (See questions
8 and 11 below.)
Please feel free to duplicate any section as required. Please return
this form to cert@cert.org. If you are unable to e-mail this form,
please send it via FAX. Our FAX telephone number is +1 412-268-6989.
Thank you for your cooperation and help.
1) Incident number (assigned by CERT): CERT#
2) Reporting site information
Organizational Name (e.g. CERT Coordination Center):
Domain Name (e.g. cert.org):
3) Your contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
4) Additional contact information (if available)
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
5) Compromised host(s) at your site (one entry per host please)
Hostname:
IP address:
Vendor:
Hardware:
OS:
Version:
Security patches applied:
6) Please list the other sites compromised that you have notified, and
the contact information for each site (one entry per site please)
Hostname:
IP address:
Contact information:
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, for CERT internal use only):
7) Please list the other sites compromised that you have not yet
notified (one entry per site please)
Hostname:
IP address:
Contact information (if available):
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
8) Would you be willing to contact these sites if CERT provided you
the relevant contact information (Yes/No):
Or, can CERT give your contact information to these sites when we
contact them (Yes/No):
9) Incident category (Yes/No)
Probe:
Prank:
Mail Spoofing:
Break-in:
Installed Trojan Horse:
Intruder gained root access:
NIS (yellow pages) attack:
NFS attack:
TFTP attack:
FTP attack:
Telnet attack:
Rlogin or rsh attack:
Product vulnerability:
Worm:
Virus:
Other (please specify):
10) Are you currently using (Yes/No/Periodically)
COPS (The Computer Oracle and Password System):
TCP access control using packet filtering:
Host access control via modified daemons or wrappers:
Crack:
Tripwire:
Proactive password checkers (e.g. npasswd, passwd+):
Shadow passwords:
Other (please specify):
11) Miscellaneous
Please specify any other incident response team(s) you have
contacted
Team:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted another incident response team,
could we give them your contact information (Yes/No):
Please specify any law enforcement agency(ies) you have
contacted
Agency:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted any law enforcement agency, could we
give them your contact information, if necessary (Yes/No):
12) Detailed description of incident (e.g. method of intrusion, etc)
13) What assistance would you like from CERT?
Copyright 1995 Carnegie Mellon University
This form may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the CERT Coordination Center is
acknowledged.
CERT is a service mark of Carnegie Mellon University.