CERT Advisory CA-2000-03 (fwd)

Area de Seguridad en Computo asc en conga.super.unam.mx
Vie Abr 28 11:59:25 CDT 2000


-----BEGIN PGP SIGNED MESSAGE-----


Hola!!

El d'ia de ayer se public'o un bolet'in en el que se reportan las fallas
en distintas versiones de servidores de DNS.

Multiples m'aquinas a Nivel mundial est'an siendo victima de la
explotaci'on de dichas vulnerabilidades, incluyendo aquellas que no est'an
sirviendo como servidores de DNS, pero que contienen dicho servicio
activo. Lo que recomendamos es actualizar la versi'on de BIND a la 'ultima
existente, as'i como su implementaci'on y estar alerta de futuras
versiones que corrigen diversas fallas que se est'an reportando d'ia con
d'ia a los Organismos de Seguridad a nivel Mundial.

Recomendamos revisar la siguiente liga :

http://www.cert.org/advisories/CA-99-14-bind.html

Uno de los sintomas mas notorios al momento de la detecci'on es la
creaci'on de directorios vaci'os, en algunos sistemas donde el registro
NXT es explotado, dichos directorios por lo general radican en :

      /var/named/ADMROCKS
      /var/named/O

Algunos otros s'intomas que se presentan son los siguientes :

	* El demonio inetd proceso duplicado con otro n'umero de proceso,
invocando un archivo de configuraci'on que generalmente reside bajo /tmp

	* Archivos del sistema Modificados como /etc/inittab y algunos
archivos de inicializaci'on de la explotaci'on de la vulnerabilidad,
usados por los intrusos.

	* Caballos de Troya depositados en los programas sshd y
/bin/login, proporcionando acceso al sistema comprometido.

	* Archivos llamados Rootkits, los cuales contienen una gran
variedad de Caballos de troya, reepmlazo de los archivos importantes del
sistema, tales como los localizados bajo /bin, contienen adem'as
sniffers(Capturadores de red), herramientas de Negaci'on de servicio
(DoS), Rastreadores en busca de Vulnerabilidades autom'aticos (Scanners),
y diversos exploits que proporcionan acceso irrestricto al sistema.

Recomendamos que para dismunuir los crecientes reportes de servidores
vulnerables corriendo como Servidores de DNS, actualicen dicho software a
la 'ultima versi'on existente y que a su vez apliquen los parches
correspondiente para su 'optima operaci'on.

Para mayores informes acerca de este boletin, recomendamos leerlo en su
formato original recibido y emitido por el CERT-EU, el cual anexamos en
la parte posterior del mensaje 'o en la siguiente direcci'on :

	http://www.cert.org/advisories/CA-2000-03.html

Si tienes alguna duda o comentario al respecto dentro del dominio .unam.mx
'o dentro del dominio .mx, te recomendadamos dirigirlas a :

                'Area de Seguridad en C'omputo
                DGSCA- UNAM
                Tel : 56 22 81 69
                Fax : 56 22 80 43
                E-Mail : asc en conga.super.unam.mx 
                http://www.asc.unam.mx/
		PGP-KEY: http://www.asc.unam.mx/Acerca_del_ASC/llave_pgp.html

Cordiales Saludos
- --JC GUEL


===========================================================================

> CERT(r) Advisory CA-2000-03 Continuing Compromises of DNS servers
> 
>    Original release date: April 26, 2000
>    Last revised: April 26, 2000
>    Source: CERT/CC
> 
> Systems Affected
> 
>      * Systems running various vulnerable versions of BIND (including on
>        machines where the system administrator does not realize a DNS
>        server is running)
> 
> Overview
> 
>    This CERT Advisory addresses continuing compromises of machines
>    running the Domain Name System (DNS) server software that is part of
>    BIND ("named"), including compromises of machines that are not being
>    used as DNS Servers. The Advisory also reports that a significant
>    number of delegated(*) DNS servers in the in-addr.arpa tree are running
>    outdated versions of DNS software, and urges system and network
>    administrators to ensure that they are up-to-date with DNS security
>    patches and workarounds.
>    ______________________________________________________________________
> 
>    The CERT Coordination Center has received reports of continuing
>    activity indicating that intruders are targeting machines running
>    vulnerable versions of "named" . We continue to receive regular, daily
>    reports that sites running unpatched, vulnerable versions of "named"
>    have been compromised. CERT Advisory CA-99-14 "Multiple
>    Vulnerabilities in BIND" describes the BIND NXT record privileged
>    compromise vulnerability that is being exploited. We encourage you to
>    review this advisory and to apply the appropriate patches if you have
>    not done so already. The advisory is available at
> 
>      http://www.cert.org/advisories/CA-99-14-bind.html
> 
>    Some sites with compromised systems have found one of the following
>    empty directories on systems where the NXT record vulnerability was
>    successfully exploited:
> 
>      /var/named/ADMROCKS
>      /var/named/O
> 
>    Other artifacts that are commonly found include
>      * inetd started with an intruder-supplied configuration file in /tmp
>        that provides a backdoor into the system
>      * modified /etc/inittab and/or system startup files to load intruder
>        processes at boot time
>      * Trojan horse versions of sshd and /bin/login designed to provide a
>        backdoor into a compromised system
>      * complete rootkits that include Trojan horse replacements for
>        system binaries, sniffers, denial-of-service tools, vulnerability
>        scanners, exploits, etc.
>      * newer versions of BIND
> 
>    Compromised systems are commonly used to search for and attack other
>    potentially vulnerable systems.
> 
>    In many of the reports of DNS server compromises, compromised machines
>    running DNS server software were not being used as DNS servers. The
>    DNS server software was running because it was installed by default
>    (unknowingly in many cases) when the machines were configured. This
>    software was not up to date with security patches and workarounds; and
>    since the system administrators were not planning to have the machines
>    operate as DNS servers, they did not ensure the software was up to
>    date, or simply disable the DNS server software on the machine. We
>    encourage system and network administrators to disable DNS server
>    software, and other services, on machines where the services are not
>    needed.
> 
>    We have also received information from Bill Manning of the USC/ISI
>    concerning DNS servers running vulnerable versions of domain name
>    server software. Since 1997, Bill Manning sweeps the inverse tree
>    (in-addr.arpa) on a quarterly basis to verify the accuracy of
>    delegations within that hierarchy. Using the first quarter survey
>    results, he compiled a list of what version of DNS server software
>    the servers were running. Of the responding DNS servers that are
>    delegated(*) DNS servers for the in-addr.arpa zone, more than 50%
>    of these DNS servers were running older, vulnerable versions of
>    BIND (any vulnerabilities, not just the NXT vulnerability). This is
>    significant because the compromise of DNS servers that are
>    delegated DNS servers can have impact on the security of other
>    organizations in addition to the organization operating the DNS
>    server.
> 
>    A copy of the survey results are available at
> 
>      http://www.isi.edu/~bmanning/in-addr-audit.html
> 
>    Based on the number of older versions being run, and the rate of
>    compromises, we believe the number of DNS servers running older,
>    vulnerable versions of BIND have not significantly decreased since the
>    survey was published.
> 
>    We encourage DNS server operators to ensure that their DNS server
>    software is up to date with the most recent versions of the DNS server
>    software and that all security patches and workarounds have been
>    applied.
> 
> 
>    delegated DNS server: a delegated DNS is a DNS server that is assigned
>    responsibility for responding to requests for a portion of the DNS
>    hierarchy. For more information on delegation, see the section on
>    delegation in DNS and BIND third edition, by Paul Albitz and Cricket
>    Liu, O'Reilly and Associates, 1998.
> 
> 
>    Advisory Author: Jeffrey J. Carpenter
>      _________________________________________________________________
> 
>    The CERT Coordination Center thanks Bill Manning, USC/ISI, for
>    providing information used in this CERT Advisory.
>    ______________________________________________________________________
> 
>    This document is available from:
>    http://www.cert.org/advisories/CA-2000-03.html
>    ______________________________________________________________________
> 
> CERT/CC Contact Information
> 
>    Email: cert en cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
> 
>    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
>    Monday through Friday; they are on call for emergencies during other
>    hours, on U.S. holidays, and on weekends.
> 
> Using encryption
> 
>    We strongly urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
> 
>    http://www.cert.org/CERT_PGP.key
> 
>    If you prefer to use DES, please call the CERT hotline for more
>    information.
> 
> Getting security information
> 
>    CERT publications and other security information are available from
>    our web site
> 
>    http://www.cert.org/
> 
>    To be added to our mailing list for advisories and bulletins, send
>    email to cert-advisory-request en cert.org and include SUBSCRIBE
>    your-email-address in the subject of your message.
> 
>    * "CERT" and "CERT Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
> 
>    NO WARRANTY
>    Any material furnished by Carnegie Mellon University and the Software
>    Engineering Institute is furnished on an "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied as to any matter including, but not limited to, warranty of
>    fitness for a particular purpose or merchantability, exclusivity or
>    results obtained from use of the material. Carnegie Mellon University
>    does not make any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQEVAwUBOQnD3D6HeEeO/+C1AQE2TAf+LVvuv2feX8rRLmcYzQfsPV/Ns98xYrZE
IkeoAzRyHmscb18r0PWcIjfuyWfeuDt0nnXuMsGYR9KnMx4i/llyn4bKroYR2UqK
IqGCLemjY7nwp726U9IRdS9GwfLGtJ07MBSeZDqrYDjVWNaTK2ihMchI1EnekRat
X7BTbaFMUHJHhPjVaQ0gvV4+7OgWy+DFt3GuGYTOdvfuIoB4HWNXGZ9L0TX7Rsf6
at4cF5bYUcJyjzHDL3eFgB5Fm0YT1edyKLpRAJPlE5k2nZPyx37sUA3gY9c5kes9
P+hLfHS4b3UoJKdiqFpYt8rsKXkjrsyKvGnpGIk78jixMSJyzZW3bA==
=C/T9
-----END PGP SIGNATURE-----



-- 
Para desuscribirse, mande correo a: ayuda-unsubscribe en linux.org.mx
Para comandos adicionales, envíelo a: ayuda-help en linux.org.mx




Más información sobre la lista de distribución Ayuda