Windows systems that support the "Null Session" can be expoited to glean information on user accounts, group memberships, password policy and much more. Some advice on how to protect your system.
Our wireless environment is now secured with production quality Thawte certificates to prevent man-in-the-middle attacks. Users should be encouraged to never accept a certificate that their browser does not trust. Documentation revisions are in progress for wireless users.
We alarm systems we observe scanning for Microsoft Services. This has served us well as a reliable indicator for compromised systems. On some parts of our network systems detected are automatically ejected.
A snort alarm is now in place to detect mail servers at odd port numbers -- often that is good indication that a system is being exploited to relay spam. This complements an existing "Flow-Data" alarm that triggers on port 25 scanning. We saw a couple of compromises Nov 26 and 27.
We alarm systems we observe connecting to a large number of off-site mail servers (connections to port 25/tcp). This has served us well as a reliable indicator for compromised systems. On some parts of our network systems detected are automatically ejected.
Apache/PHP applications are often a security risk. A recent scan identified too many servers with vulnerable versions of PHP. This security note includes some advice for securing PHP servers and applications.
Since 05-Aug-2004 we have alarmed scans and attacks on the SSH and FTP services but recently attacks seem to have escalated. This note includes important advice for Unix managers on mitigating the risk of compromise.
Snort detects attacks on a vulnerabilty in the TWiki history function. Alarms sent to attacker's ISP. TWiki maintainers advised to apply patches/upgrade to current release.
Improved snort signatures provide better accuracy at detecting IRCbotnet activity -- infected systems act as a slave/robot with commands issued over an IRC channel. Automated alarms implemented.
We note increased activity on CA BrightStor ARCserve vulnerabilities. An alarm has been installed so the abuse contacts are notified when scans are detected. We assume compromised zombies.
We note occassional attacks on the Microsoft Remote Display Protocol (port 3389/tcp also known as "Terminal Services") and assume attackers are/will search for accounts with poor passwords. Cf. attacks on SSH.
EMC Legato Backup uses a weak authentication method that could allow a remote attacker to execute aribtrary commands. Legato is a popular backup/restore service at our site that currently is not firewalled.
Several active exploits are in the wild for Windows systems that are not firewalled and are not at current patch level. Zotob and Sasser spread quickly amongst unprotected systems. We can test for patches MS04-007, MS04-011 and MS05-039 on systems that don't have a firewall. An initial scan of the campus network showed that about 5% of the machines tested were vulnerable -- the real number is much larger.
The SANS Institute @RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 31 of 05-Aug-2005 reports more problem with BrightStor ARCserve Backup for Windows and notes that multiple exploits have been published. We scanned the campus network and note several systems which might be vulnerable.
Automated alarms are in place to detect some systems infected with an IRCbotnet. Infected systems were scanning for vulnerable services and the infection spread quickly.
Recent sustained attacks on port 10000/tcp are attempts to find and exploit systems running vulnerable versions of Veritas Backup.
Automated alarms are in place to detect attackers infected with a variant of the Rbot virus/worm which attacks IIS servers.
Automated alarms are in place to detect rouge SSH servers at odd port numbers -- these are often a marker that a system has been compromised. 20050705-A.shtml
Automated alarms are in place to detect attackers scanning for port 2100/tcp -- the sometimes vulnerable Oracle XDB FTP service.
Automated alarms are in place to detect odd IRC servers -- these are often a marker that a system has been compromised.
Automated alarms are in place to detect rogue FTP servers on odd ports -- these are often a marker that a system has been compromised.
Automated alarms are in place to detect attackers scanning for port 1521/tcp -- Oracle services. Very few servers are exposed to the world.
Automated alarms are in place to detect attackers scanning for port 5900/tcp -- hackers are installing VNC services on compromised systems.
Automated alarms are in place to detect attackers scanning for port 6101/tcp -- the sometimes vulnerable Veritas Backup service.
Automated alarms are in place to detect attackers scanning for port 4899/tcp. Abuse contacts are notified when attacks noted.
Automated alarms are in place to detect odd Virus/Worm activities on infected systems that are trying to spread their infection. Mail servers should be configured to refuse malicious content.
We recently experienced the compromise of a Linux/phpBB server where the attacker leveraged a problem with the "admin_forums.php" script to install a backdoor and then download an XDCC server. This is a serioius issue -- it seems that it's trivial to compromise a vulnerable system and it seems that all phpBB systems are vulnerable.
Automated alarms are in place to detect spyware/mail traffic -- these are often a marker that a system has been compromised.
Automated alarms are in place to detect attackers scanning for port 31337/tcp -- a virus/worm backdoor.
Server Message Block protocol flaw of MS05-011 affects NT 4.0 systems and no patch is available to those who have not purchased extended support. Vulnerability could allow an attacker to seize control of vulnerable systems.
phpBB versions earlier than 2.0.13 on all platforms are easily compromised and compromises are reported at other sites. phpBB version 2.0.13 was released on 27-Feb-2005 as a "Critical Update" to fix two security problems, one critical. See also our vulnerablity note 20041216.
The CDE Desktop Subprocess Control Daemon dtpscd(8) is seldom required, is a dangerous service and should be removed. Scanning activity by the hacker community on local compromised systems confirms that this is a dangerous service. Working group notified, systems identified, periodic scan implemented. See also our vulnerablity note 20011113.
MarketScore proxy intercepts and records all web transactions -- includes userids, passwords, credit card numbers, web-based email services and much more. Many in the security community believe that is an unacceptable privacy compromise. Security Working Group notified, systems identified.
Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070
Contact Us |
Give Us Feedback |
Privacy Statement