HomeSite IndexSearchContactFrequently Asked Questions
Incidents, Quick fixes, and VulnerabilitiesSecurity Practices and EvaluationsSurvivability Research and AnalysisTraining and Education
 
Options

 Advisories

Vulnerability Notes Database

Incident Notes

Current Activity

 Related
Summaries

Tech Tips

AirCERT

Employment Opportunities

 more links
CERT Statistics

Vulnerability Disclosure Policy

CERT Knowledgebase

System Administrator courses

CSIRT courses

Other Sources of Security Information

Channels

 Message
Welcome to the new Incidents, Quick Fixes, and Vulnerabilities area of the CERT/CC web site.

Related Sites
Internet Security Alliance

CERT/CC Incident Notes

IN-2001-05: The "cheese" Worm

May 17, 2001

The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern.

IN-2001-04: "Carko" Distributed Denial-of-Service Tool

April 24, 2001

The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts.

IN-2001-03: Exploitation of BIND Vulnerabilities

March 30, 2001

On January 29, 2001 the CERT/CC published CERT Advisory CA-2001-02 detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are now actively being exploited by the intruder community to compromise systems.

IN-2001-02: Open mail relays used to deliver "Hybris Worm"

March 2, 2001

The CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm." The code propagates through email messages and newsgroup postings, specifically targeting Windows machines.

IN-2001-01: Widespread Compromises via "ramen" Toolkit

January 18, 2001

The CERT/CC has received reports from sites that have recovered an intruder toolkit called "ramen" from compromised hosts. Ramen, which is publicly available, exploits one of several known vulnerabilities and contains a mechanism to self-propagate.

IN-2000-10: Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities

September 15, 2000

Recent reports involving intruder exploitation of two vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts and toolkits to automate attacks.

IN-2000-09: Systems Compromised Through a Vulnerability in the IRIX telnet daemon

August 31, 2000

We have received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in telnetd that is resulting in a remote root compromise of victim machines.

IN-2000-08: Chat Clients and Network Security

June 21, 2000

The CERT/CC has received reports and inquiries regarding the security issues inherent in the use of chat clients.

IN-2000-07: Exploitation of Hidden File Extensions

June 19, 2000

There have been a number of recent malicious programs exploiting the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not.

IN-2000-06: Exploitation of "Scriptlet.Typelib" ActiveX Control

June 6, 2000

Bubbleboy and kak are email-borne viruses that exploit a vulnerability created by unsafe configuration of the Microsoft ActiveX control named "Scriptlet.Typelib," allowing local files to be created or modified.

IN-2000-05: "mstream" Distributed Denial of Service Tool

May 2, 2000

In late April 2000, we began receiving reports of sites finding a new distributed denial of service (DDOS) tool that is being called "mstream". This tool enables intruders to use multiple Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems.

IN-2000-04: Denial of Service Attacks using Nameservers

April 28, 2000

Intruders are using nameservers to execute packet flooding denial of service attacks.

IN-2000-03: 911 Worm

April 4, 2000

A worm with variants known as "chode," "foreskin," "dickhair", "firkin," or "911" spreads by taking advantage of unprotected Windows shares.

IN-2000-02: Exploitation of Unprotected Windows Networking Shares

March 3, 2000

Updated April 7, 2000

Intruders are actively exploiting Windows networking shares that are made available for remote connections without requiring password authentication. This is not a new problem, but the potential impact on the overall security of the Internet is increasing.

IN-2000-01:Windows Based DDOS Agents

February 28, 2000

We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks.

IN-99-08: Attacks against IIS web servers involving MDAC

December 10, 1999

We have received reports of IIS web servers compromised via a vulnerability in MS Data Access Components (MDAC). This note contains information about identifying attacks and pointers to further information.

IN-99-07: Distributed Denial of Service Tools

November 18, 1999

We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks.

IN-99-06: Distributed Network Sniffer

October 25, 1999

We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. The sniffer clients have been found exclusively on compromised Linux hosts.

IN-99-05: Systems Compromised Through a Vulnerability in am-utils

September 17, 1999

We have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in amd that is resulting in remote users gaining root access to victim machines.

IN-99-04: Similar Attacks Using Various RPC Services

Updated October 15, 1999

Recent reports involving three RPC service vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts to automate attacks. These attacks appear to attempt multiple exploitations but produce similar results. An update includes information about statd.

IN-99-03: CIH/Chernobyl Virus

April 22, 1999

We have received a number of information requests about a computer virus named CIH, or the Chernobyl virus. The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly.

IN-99-02: Happy 99 Trojan Horse

March 29, 1999

This incident note describes the Happy99.exe Trojan Horse. Happy99 is not a macro virus and should not be confused with the Melissa Word macro virus.

IN-99-01: "sscan" Scanning Tool

January 28, 1999

Recently a new scanning tool named "sscan" was announced on various public mailing lists. The sscan tool performs probes against victim hosts to identify services which may potentially be vulnerable to exploitation.

IN-98-07: Windows NT "Remote Explorer" Virus

December 22, 1998

A new virus that attacks Microsoft Windows NT machines has recently received public attention. Some characteristics of the virus are discussed here.

IN-98-06: Automated Scanning and Exploitation

December 9, 1998

We have received reports of intruders executing widespread attacks using scripted tools to control a collection of information-gathering and exploitation tools.

IN-98-05: Probes with Spoofed IP Addresses

November 24, 1998

The CERT Coordination Center has received several reports that intruders are using spoofed IP addresses to conduct scans similar to those discussed in CA-98.09.imapd and CA-97.09.imap_pop.html.

IN-98.04: Advanced Scanning

September 29, 1998

We have received reports of two scanning techniques being used by intruders to map networks and identify systems: "stealth" scanning and scanning to identify system or network architecture.

IN-98.03: Password Cracking Activity

July 17, 1998

In an incident recently reported to the CERT/CC, a very large collection of password files was found on a compromised system. In total, the intruder appears to have a list of 186,126 accounts and encrypted passwords. At the time the password file collection was discovered, the intruder had successfully guessed 47,642 of these passwords by using a password-cracking tool.

IN-98.02: New Tools Used For Widespread Scans

July 2, 1998

Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.

IN-98.01: Scans to Port 1/tcpmux and unpassworded SGI accounts

May 13, 1998

There have been recent reports of widespread scans to port 1. Intruders use these scans to locate IRIX machines. Once the IRIX machines are located, intruders attempt to take advantage of known security weaknesses in default accounts that have no passwords.

Last updated May 17, 2001

See the conditions for use, disclaimers, and copyright information.

CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office.

Copyright 2001 Carnegie Mellon University.