From ciac@tholia.llnl.gov Wed Jul 22 18:55:59 1998 From: CIAC Mail User To: ciac-bulletin@tholia.llnl.gov Date: Tue, 21 Jul 1998 08:13:53 -0700 (PDT) Subject: CIAC Bulletin I-073: multiscan ('mscan') Tool [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN multiscan ('mscan') Tool July 20, 1998 15:00 GMT Number I-073 ______________________________________________________________________________ PROBLEM: It is believed that intruders are using a new tool called 'Multiscan' or 'mscan'. This tool enables the user to scan whole domains and complete ranges of IP addresses to discover well-known vulnerabilities. PLATFORM: Host that are visible on the network. DAMAGE: This tool is used to detect exploitable vulnerabilities on target hosts and may provide information used by an intruder in further attacks. SOLUTION: Apply workarounds or solutions listed in Section 3. ______________________________________________________________________________ VULNERABILITY Information concerning 'Multiscan' or 'mscan' has been made ASSESSMENT: publicly available. ______________________________________________________________________________ [ Start AusCERT Advisory ] =========================================================================== AL-98.01 AUSCERT Alert multiscan ('mscan') Tool 20 July 1998 Last Revised: -- - ---------------------------------------------------------------------------- AusCERT has received reports indicating a recent and substantial increase in network scanning activity. It is believed that intruders are using a new tool called 'Multiscan' or 'mscan'. This tool enables the user to scan whole domains and complete ranges of IP addresses to discover well-known vulnerabilities. Information concerning this tool has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - ---------------------------------------------------------------------------- 1. Description AusCERT has received reports indicating a recent and substantial increase in network scanning activity. It is believed that intruders are using a new tool called 'Multiscan' or 'mscan'. This tool enables the user to scan whole domains and complete ranges of IP addresses to discover well-known vulnerabilities in the following services: statd nfs cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test') X POP3 IMAP Domain Name Servers finger The 'mscan' documentation mentions the domain 'org.au' as an example and therefore this domain may be used as a first test case. Therefore, sites should expect more frequent scans of this domain. 'mscan' also provides information to the user which may be useful in hiding their probe attempts against a subnet by bouncing their scans off hosts identified as running the application 'wingate'. It is worth noting that mscan can only scan hosts that are visible on the network. External users can not probe hosts behind a suitably configured firewall. 2. Impact 'mscan' attempts to detect exploitable vulnerabilities on target hosts within complete ranges of IP addresses and presents this information to the user in a report. This information may be used by an intruder in further attacks against vulnerable hosts. 3. Workarounds/Solution 3.1 Detection The following events may be indicate that your site has been probed using 'mscan' or other similar scanning tools. In any case, this is likely to be a prelude to a subsequent attack: Evidence of systematic scans of all IP addresses within a domain or repeated DNS-lookups of all hosts on a subnet. Evidence of Zone transfers from a domain name server to unknown/untrusted destinations. Evidence of systematic probes (from the same IP address/origin) of the services: statd nfs cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test') X POP3 IMAP Domain Name Servers finger The lp account 3.2 Protection Please note that securing your hosts against the vulnerabilities tested for by mscan does not necessarily make your hosts secure. It is imperative that you continue to take all of the usual security measures, like applying all security patches and performing regular monitoring activities. statd: There are well known problems in certain versions of statd which are exploitable remotely. See the AusCERT Advisory at URL: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA- 97.29.statd.overflow.vul nfs: NFS exported filesystems may allow an intruder to examine, change or add data to a filesystem on your host remotely. To deny access to your NFS services from the outside we encourage you to consider blocking inbound NFS connections at your router. For a discussion of security issues concerning NFS see the CERT advisory at URL: http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test'): Do not install cgi-bin programs on your web server whose security status is dubious. If you must have cgi-bin programs, you should check them for security vulnerabilities before installation. The AusCERT advisory at the following URL provides useful information on this topic: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA- 96.01.Vulnerability.in.NCSA.Apache.CGI.example.code X: If it is not necessary to allow X-windows connections from outside of your site, then secure open X server ports (i.e. 6000+ ) against intrusion by blocking inbound traffic at the router. Sites are encouraged to check their local documentation for access control mechanisms such as 'xhost' and 'xauth'. POP3: POP servers are a good source of information for intruders and failed connections are not always logged. Enable logging of failed POP server access where possible and monitor these logs for any unusual activity such as multiple failed pop attempts. Sites should also check that they are not affected by the 'qpopper' vulnerability, discussed at URL: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA- 98.01.qpopper.buffer.overflow.vul IMAP: There are well known problems in older versions of IMAP which are exploitable remotely. See the following advisories and ensure that you are not vulnerable to these problems: ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.09.imap_pop ftp://ftp.auscert.org.au/pub/mirrors/ftp.secnet.com/advisories/SNI- 08.IMAP_OVERFLOW.advisory Also see the URL at: http://www.cert.org/advisories/CA-97.09.imap_pop.html Domain Name Servers: Sites should allow zone transfers only to authorised name servers. This helps to impede the use of the mscan tool. There are also known problems with some versions of BIND. See the following advisory and ensure that you are not vulnerable to these problems: http://www.cert.org/advisories/CA-98.05.bind_problems.html finger: To stop unauthorised persons from obtaining personal information about users on your system, you should to disable the 'finger' program. Additionally, is to block outside traffic to the 'finger' service at your firewall. lp: The lp account on some systems (notably IRIX) is distributed without a password, and intruders may be able to use this for non-authenticated access to a system. The general solution is to 'lock' all non-password accounts, however this may disable some key features of your system. See the following CERT advisory for more information on this topic: http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html 4. Additional Information The advisory documents at the following URLs: ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines may also prove useful in securing your system. - ---------------------------------------------------------------------------- AusCERT would like to thank the CERT Coordination Centre for reference material quoted from their Incident Note: IN-98.02. See the following URL for the content of that document: http://www.cert.org/incident_notes/IN-98.02.html - ---------------------------------------------------------------------------- The AusCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AusCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AusCERT is located at The University of Queensland within the Prentice Centre. AusCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AusCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AusCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team Prentice Centre Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ End AusCERT Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of AusCERT for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) I-063: RSI BSDI rlogind Vulnerability I-064: SGI IRIX mail(1), rmail(1M), sendmail(1M) Vulnerabilities I-065: SunOS ufsrestore Buller Overflow Vulnerability I-066: Vulnerability in Some Implementations of PKCS#1 I-067: AutoStart 9805 Macintosh Worm Virus I-068: File Access Issue With Internet Information Server I-069: Buffer overflows in some POP servers I-070: Distributed DoS Attack Against NIS/NIS+ Networks I-071: OpenVMS loginout Vulnerability I-072: SunOS Vulnerabilities (libnsl, SUNWadmap) -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNbOEwbnzJzdsy3QZAQElnQQA7ZevmpRsq0o7oiqjr7UB2UxKMBzC31R+ SbhmRxsEuDnbz9lgmP/MM/VcWZkAc+gtSmc68KgoYo8fBA5Vq4NkPYj79tFSMqzR LuEF0Sq74OOrkywhGCBO0zLzDlnyUNgf2LVeoVqtBxh21qMdP+FWyBS90/EGZcGQ NtA9URvLX+k= =5ACf -----END PGP SIGNATURE-----