CERT Summary CS-95:02

CERT Advisory cert-advisory at cert.org
Tue Sep 26 20:26:56 UTC 1995

CERT Summary CS-95:02
September 26, 1995

The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response staff. The summary includes pointers to sources of information for
dealing with the problems. Starting with this summary, we will also list new
or updated files that are available for anonymous FTP from ftp://info.cert.org

Past CERT Summaries are available from 

Recent Activity
Since the July CERT Summary, we have seen these continuing trends in incidents
reported to us:

1. Sendmail Attacks

We receive several reports each week of attacks through sendmail, with
intruders using a variety of techniques. Most of the attacks are aimed at
gaining privileged access to the victim machine.

To combat these threats, we encourage sites to take the appropriate steps
outlined in the following:



A number of sites have reported some confusion on the need to continue using
the sendmail restricted shell program (smrsh). You need to run the smrsh tool
in conjunction with the most recently patched version of sendmail for your

Information on the smrsh tool can be obtained from these places in


The smrsh program can be obtained from


It is included in the sendmail 8.7 distribution.

2. Network Scanning

Several incidents have recently been reported in which intruders scan a large
address range using the Internet Security Scanner (ISS). As described in CERT
advisory CA-93:14, this tool interrogates all computers within a specified IP
address range, determining the security posture of each with respect to
several common system vulnerabilities.

Intruders have used the information gathered from these scans to compromise
sites. We are aware of many systems that have suffered a root compromise as a
result of information intruders obtained from ISS scans.

You may wish to run ISS against your own site in accordance with your
organization's policies and procedures. ISS is available from


We encourage you to take relevant steps outlined in these documents:


3. Exploitation of rlogin and rsh

We have received some reports about the continued exploitation of a
vulnerability in rlogin and rsh affecting IBM AIX 3 systems and Linux systems.
This is not a new vulnerability, but it continues to exist. Sites have
reported encountering some Linux distributions that contain this

Information on this vulnerability and available solutions can be
obtained from


4. Packet Sniffers

We continue to receive new incident reports daily about sniffers on
compromised hosts. These sniffers, used to collect account names and
passwords, are frequently installed using a kit. In some cases, the packet
sniffer was found to have been running for months. Occasionally, sites had
been explicitly warned of the possibility of such a compromise, but the
sniffer activity continued because the site did not address the problem in the
comprehensive manner that we suggest in our security documents.

Further information on packet sniffers is available from


Information about detecting sniffers using cpm is in the CA-94:01.README

What's New in the CERT FTP Archive
We have made the following changes since June 1, 1995.

* New Additions:


    incident.reporting.form (the form you should fill out when
                             reporting an incident to our staff)




    VB-95:05.osf    (OSF/DCE security hole)
    VB-95:06.cisco  (vulnerability in Cisco's IOS software)


    AUSCERT_checklist_1.0 (UNIX checklist developed by the Australian
                           Emergency Response Team) 

* Updated Files 


  CA-93:14.README (Internet Security Scanner)
  CA-94:01.README (network monitoring)
  CA-94:02.README (SunOS rpc mountd vulnerability)
  CA-94:05.README (md5)
  CA-94:11.README (majordomo) 
  CA-95:01.README (IP spoofing and hijacked terminal connections) 
  CA-95:02.README (binmail vulnerabilities)
  CA-95:05.README (sendmail - several vulnerabilities)
  CA-95:08.README (sendmail version 5 and IDA sendmail) 
  CA-95:09.README (Solaris ps)
  CA-95:11.README (Sun sendmail -oR vulnerability) 

We have begun adding a note to advisory README files reminding readers to
check with vendors for current checksum values. After we publish checksums in
advisories and READMEs, files and checksums are sometimes updated at
individual locations.

* Other Changes:

As we will no longer be keeping the lsof directory current, the directory and
its files have been removed from our FTP site. The current version of lsof is
available from


How to Contact the CERT Coordination Center

Email    cert at cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours. 

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories 
and bulletins, send your email address to

        cert-advisory-request at cert.org

CERT advisories and bulletins are posted on the USENET news group


If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the email be encrypted.  
We can support a shared DES key, PGP, or PEM (contact CERT staff for details).

Location of CERT PGP key


Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

More information about the NANOG mailing list