Security >> Vulnerabilities (2008) >> 2008/01/07

Issue: Incident Summary 2007
Date: 2008/01/07-2008/01/11

This note is a summary of security incidents tracked in the 2007 calendar year. Each month we share a summary with the Security Working Group -- this collects those summaries with minor edits. Reviewing incidents which have happened can help to prevent and prepare for those to come.

• Significant security events/incidents in January, 2007:
  1. 20070106(SAV) -- one of the many SAV compromised systems. Trojan botnet and lots of scanning for ports 135, 139, 445 and 2967. The interesting thing about this machine -- it was ejected from the network but returned later that month during a network reshuffle at the site. I asked why the machine wasn't seized and physically isolated. Was told the owner had died but they needed to keep the machine around. I can't understand why it needed to be on net (in an infected state).
  2. 20070112(psybnc) -- psybnc (an IRC proxy service) installed on Mac OS/X system. Another case of a "test" account with dumb password. Better yet, we had the same thing a few days later on another Mac OS/X system within the same group!
  3. 20070120(Scanning) -- scanning for 139 and 445 detected. Rogue FTP server detected . Windows 2000, we assume a SAV compromise. Finding the "right" person is often hard (see obligations in UCIST Statement on Security of UW Computing and Network Resources). I ejected the system, was recently given full access to cn-ona so I can eject any system.
  4. 20070124(SAV) -- NAA (ie. wireless) scanning for port 2967 automatically ejected. So user logins under a friend's account. We get notes from UT Austin and Utah advising us we have a problem.
  5. 20070125(Spam) -- socks server on club machine exploited to send spam. Finding the "right" person is often hard. We need ADMIN and tech CONTACTs listed in DNS for all systems. Again, see UCIST Statement.
  6. 20070125(VNC) -- we watch for VNC scans on a port range. An NAA user put a BitTorrent application on a port in that range. Bitorrent clients around the world trying to connect to him are blocked by the NAA firewall but our alarms continue. Have tuned the VNC scan to only alarm port 5900.

  And as you know it's been a very busy month with SAV issues. We are now blocking port 2967 at the campus boundary -- that helps to block the attacks.

  Tip: One of the best ways to stop the spread of virus/worms is to quickly isolate compromised systems.

• Significant/interesting security events/incidents for February, 2007 includes:
  1. 20070201(Scanning) -- Romania. We noted excessive traffic from a system in daily traffic reports. Snort alarmed connections from Romania (a local signature as we've seen lots of bad guys there) to an FTP service. Also observed scanning activity by local machine. No satisfactory explanation provided.
  2. 20070202(Scanning) -- Port 135 scanning detected. That's a sure sign of a compromise -- the infection is trying to find MS systems missing patches that can be easily compromised. The system of record was a managed Linux system. Turns out the user (a student employee) had hijacked the IP address with his infected laptop. Beware of unmanaged systems added to your network without permission (MAC address lock down at the switch port would prevent that abuse).
  3. 20070213(Spam) -- Port 25 scanning detected. That's a sure sign of a compromise -- the infection is sending spam/malware. The infected system is behind a public wireless NAT (sic!!) at one of the colleges -- unlike wireless NAA where we eject infected systems. Still struggling to get that device under control.
  4. 20070226(Scanning) -- Port 2967, 135, 139, 445 scanning and Trojan-Bot detected on 4 systems. Again, all are sure signs of a compromise. I suspect the Trojan infected the others. On one I'm told the SAV version was not current (in spite of a previous infection on a similarly named system), on another I'm told the system was NT4 with no firewall and a dumb password. Port 2967 is the SAV remote management service which ought to be firewalled. One infected system remained on the net for several days in spite of repeated automated alarms.

  And we have the usual cluster of folks putting unpatched systems on the net. The scanning activity on Feb 2 and Feb 26-Mar 1 of infected system would find and infect upatched systems pretty darn quick. That's how infections spread.

  Tip: security notes marked URGENT should be read carefully and acted on quickly to contain problems before they spread.

• Significant security events/incidents for March, 2007 includes
  1. 20070306(java) -- received a complaint "For several days now someone at U. Waterloo has been running a Java script against the **[edit]** public web servers at rates sometimes over well over 10 requests per second" and the remote site blacklisted several local systems. Bad programming but the user just moved to another system. A bit of a struggle to find the fellow. One ought to be careful when "network programming" and especially so when grabbing information from public pages. You can have an effect on others.
  2. 20070314(minUWet) -- one AV vendor, briefly, identified "minUWet" as malware. AV tools have problems -- it's only a heuristic that programs reading parts of the registry may be malware.
  3. 20070322(psybnc) -- identified a psybnc proxy IRC service (often installed by hackers). Another guest account with a poor password used by bad guys
  4. 20070327(botnet) -- alarmed excessive scanning by a web server (DOS attacks). Turns out to have been a compromise of webCalendar application -- trivial to get the application to run PHP code of hackers choice (and to get a shell, etc.). IRCbotnets installed. Snort alerts updated to include signature on webCalendar exploit.
  5. 20070328(ddos) -- Network Services noted a DOS attack against a local Mac that pinned the external router. Not sure what was going on. We ought to have noticed traffic reports showing excessive flows to the machine (but we're dealing with excessive flows from another site).
  6. 20070330(scanning) -- Linux mail server observed scanning ports for MS vulnerabilities. We suspect a compromised account (we alarmed webCalendar but that seems to be trolling). System manager is investigating remote logins -- last login reports are often the first place to look.

  It's been a pretty quiet month.

  Of the alarms generated most are about external attacks -- VNC, Solaris-Telnet, SSH and FTP -- and not internal problems.

  We see continued problems with systems that aren't patched or firewalled and users who fail to heed advice presented.

• Significant events in April, 2007:
  1. 20070410(ssh) -- ssh scanning activity on local Unix system observed. Dumb password compromised by Romanians.
  2. 20070410(nat) -- off-site but interesting. We were alarming VNC scanning activities from a NAT gateway of a major Unix vendor. Took them ages to find the infected system. We have a similar problem with a local site using NAT -- poor logs means it's hard to track things.
  3. 20070412(bittorrent) -- excessive usage (data transferred/day), turned out to be BitTorrent. These peer-peer applications are terrible bargains. The user explained the excessive usage by saying they had down loaded a "big" file. Explanation made no sense -- usage was dominated by data sent not received -- without knowing about BitTorrent.
  4. 20070416(pop3) -- excessive scanning. Turned out to be a dictionary attack on the pop3 service. I expect to see more of that.
  5. 20070417(id-theft) -- a student had her hotmail account compromised where she stored all sorts of sensitive information wrt. school here. Her Quest account compromised and all sorts of malicious stuff. Currently in the hands of campus cops.

  Finally, you'll note that alarms have been dominated by VNC scans. I've disabled the alarm (scans continue of course) and will take the issue to CNAG with a proposal to block/limit the service.

• My blotter of significant events in May
  1. 20070507 (spam) -- a php injection on a very poorly written web page that allowed a spammer to exploit a local web server. That had me spend some time chasing php injection attacks in snort logs -- there's a ton out there. Some new snort signatures to capture more. You could have a full time job chasing down malicious content discovered in these injections.
  2. 20070510(botnet) -- we had a botnet infection on resnet. Chased the server and tools it was instructing sites to down load. Snort is getting very good at detecting these.
  3. 20070517(postcard) -- I got one of those postcard.exe mail messages. Complained to hosting site. Often times these sites hosting php injections, postcard.exe and other malicious content are compromised systems -- they appreciate the notification. Sometimes they're bad guys...

  A pretty quite month. You will note the VNC attacks. These were happening with such rapidity that they were getting in our way. We're not alarming them but they're still happening.

• My blotter of significant security issues in June includes:
  1. 20070606(web) -- odd UDP scanning observed on the info web server. Investigations discovered perl scripts running under the userid of the web server. Clearly a web compromise where the hacker was able to inject code. We were not able to identify how. We believe we have a vulnerability that can be exploited.
  2. 20070610(fix) -- we observed SSH scanning behaviour from a system on net 109 (that's the IST client-only network where workstations like mine live). Turned out to be a system being fixed in the hardware lab. Tech's trying to recover data as they fixed a machine managed to infect their own system. A couple of observations -- leaving machines running over night (over the weekend especially) can be bad idea, fixing infected machines is hard and should be done in a very controlled environment with lots of firewall controls (cf. fellows on the bomb squad are sometimes blown up).
  3. 20070614(web) -- we observed a web server with excessive outbound flows to port 80. We suspect a PHP injection where a local system was being used to attack others. Site has not been able to figure out what happened. We suspect they have a vulnerability that can be exploited.

  Finally, I've been spending quite a bit of time on PHP injection attacks -- tracking them, tuning snort sigs, etc. These days PHP injection attacks tend to come from infected web servers. See the SANS diary story about MPACK in SANS/ISC Diary. I'm worried.

  Otherwise a pretty quiet month. As always our alarms are dominated by folks attacking us. We did run into an and infection with a new IRCbot, have submitted updates for snort sigs.

• My blotter of significant security events in July includes
  1. 20070703(ssh )-- detected ssh scan by local system. Dual boot PC with Unix 'root' password. See best advice re: SSH in our Vulnerability Note (2005/11/17).
  2. 20070703(dos) -- udp scan observed at web server. Perlbot found, suspect Web PHP injection but little information discovered. Vulnerability persists.
  3. 20070706(skype) -- skype observed, many alarms/escalate ignored. DNS data in error -- notices to wrong people. Accurate DNS is a fundamental requirement. When and escalation notice crosses your desk -- please act.
  4. 20070711(perlbot) -- udp/dos observed at web server. Perlbot found, suspect PHP injection but little information discovered (anyone know how to read image of running perl process on Solaris? Vulnerability persists.
  5. 20070715(ssh) -- detected ssh scan by local system. Dumb default password on "oracle" userid on system being built. Keep test/dev systems isolated.
  6. 20070725(scan) -- port 80 scanning of local systems by local systems. Detected at black-hole networks routed to campus gateway. Suspect local user trodding where they ought not.

  A fairly quiet month. The PHP injections disturb me; dumb passwords and SSH scanning persist (human nature).

• Significant events in August, 2007 includes
  1. 20070801(logs) -- kiwi application logging userid & password in logs available on the web. Vulnerability note posted, work on CAS Web SSO underway, etc.
  2. 20070813(spam) -- a user with a dumb password on a Unix mail server was found by spammers. Spammers used myuwaterloo.ca mail interface to send Nigerian scams (oddly enough, spammers were in Nigeria). If you support local Unix passwords you need to crack your password file for dumb passwords. Better yet, disable local passwords and integrate authentication with Nexus and/or ADS using Kerberos.
  3. 20070815(vnc) -- FYI -- we stopped alarming VNC traffic, we are overburdened with the number of alarms.
  4. 20070817(priv) -- some sites locally are supporting VPN's (Virtual Private Networking -- ie. tunnelling) using private network numbers at this end. Those private numbers are escaping onto the net and that's causing problems. We're of the opinion that RDP is good enough and there's no need, for most users, to add VPN's.
  5. 20070817(theft) -- stolen laptop reappears on wireless, handed over to campus police.
  6. 20070820(rdp) -- several sites noted excessive RDP attacks amounting to DOS. A firewall at the gateway could catch and stop scanning activity like that.

  And I've been spending a lot of time chasing PHP injection attacks.

  All in all, a pretty quiet month. And still pretty quiet this first week of school with residences full of new systems.

• Significant security events in September, 2007 includes
  1. 2007/09/04(smtp) -- Alarmed significant SMTP scanning activity from a workstation, we believe it was an instance of the "Storm Worm". Excessive E-donkey alarms (also observed) are an indication of the Storm Worm. On resnet and the wireless systems are automatically ejected. This was not one of those. I wanted the system removed from the net, site wanted to isolate it with a firewall. We argued about the appropriate response. BTW: I expected to see many more instance of the "Storm Worm", I'm surprised how few we've seen.
  2. 2007/09/04(ssh) -- SSH scanning activity alarmed. Another one of those Unix systems where the system manager (a grad student?) set a dumb password. (Had another one this week where another local system was SSH scanning others -- we alarmed 3,000,000 alerts between 2:30am and normal working hours. You can find dumb passwords if you can scan from a high speed site like ours).
  3. 2007/09/06(copyright) -- a complaint about a site copying material holus bolus and posting on their site. We are a University and we value intellectual property rights.
  4. 2007/09/0(psybnc) -- observed an odd psyBNC server on a local system psyBNC servers are IRC relays that hackers use to hide their tracks. This one has a novel banner designed to escape current snort sigs. I've never seen one installed by anyone other than a hacker. Site waved off the problem with a vague explanation but I persisted. Support staff called in from computing facility is still investigating, we assume another dumb password but there might be more going on.
  5. 2007/09/21(ssh) -- SSH scanning activity alarm. Another one of those Unix systems where the system manager (a club system run by students) set a dumb password.
  6. 2007/04/24(dos) -- UDP DOS launched from a Unix web server. This repeats an earlier issue on same system and we're still chasing the problem (caught a compromise in progress yesterday on same system). I'm confident this is a PHP injection where a botnet is installed. Have been chasing PHP botnets for quite a while and have developed sigs for some of the new ones which might be involved.
  7. 2007/09/27(stolen) -- stolen laptop reported. We monitor wireless for MAC address of stolen laptops reported to use -- rang an alarm last night on this one and have passed information on to campus police.

  Clearly SSH scanning activities (not blocked at the gateway) and dumb passwords continue as a major problem.

  There were a lot of repeated alarms on residence users -- at the request of Resnet we didn't eject unpatched machines for the first week or so. But there weren't that many systems that had problems. Most kids seem to have XP/SP2 or Vista where the firewall is in place.

• Significant security events for October 2007:
  1. 20071001(brute-web) -- bad python code by a student ended up looping on a registration page. Site affected noted it as an attack, it was a mistake.
  2. 20071002(ftp) -- brute force dictionary attack on ftp noted by local site (we alarm these but cannot block them). User reports their web page keeps getting replaced -- by the hacker who discovered the dumb password using ftp!
  3. 20071002(php) -- php injection attack against web server. Monitored for strange process, found and caught the attack. See discussion in our Position Paper (2007/09/26).
  4. 20071002(ssh) -- local system ssh scanning (+excessive traffic). Another Unix system with an account where userid=password. Really dumb.
  5. 20071002(tor) -- tor anonymizing server (see their home page) used in php injection attack above found at local club site. Shutdown.
  6. 20071011(jobmine) -- copyright material lifted from jobmine and posted at another public site in Korea. Still chasing that, have finally got a response back.
  7. 20071012(crack) -- we cracked ADS passwords and found a ton of dumb ones. Processes now in place to crack and notify each month.
  8. 20071015(stolen) -- 2 laptops stolen from residence rooms. We monitor NAA's for stolen MAC's, finding the MAC address can be hard. Nobody ever records their's until it's too late. See best advice in our Howto Advice (2007/02/16).
  9. 20071015(vnc) -- we got a note from an off-site location who noted a VNC scan coming from us. Have updated our snort alarms to catch that.
  10. 20071028(lib) -- harassing anonymous mail sent from public access workstation in library. These are awfully hard to track.
  11. 20071030(phpbb) -- phpBB compromise on club system used to send spam. Old version of phpBB installed. The club caught the problem but has not provided any information -- logs, etc. -- so we can complain about the attackers. I assume a php injection attack.
  12. 20071030(stolen) -- another stolen laptop from residence.
  13. 20071031(stolen) -- another stolen laptop. Student napping in MC 3rd floor lounge. Finding the MAC address is a struggle. Student had been blacklisted for over a year and was using another person's userid/password! Doubly dumb.

  Clearly a lot of laptops went missing. We did catch one that came onto the wireless.

  Life would be much better if attackers were blocked at the gateway when detected. Dumb passwords are easy to find if you can brute force for a long time. We ought to be able to detect and block the attack.

• Significant security events tracked in November, 2007
  1. 20071101(storm) -- port 25 scanning, UDP traffic, probable storm worm. We have a lot of storm worm alarms but I've not got a good handle on how to process them.
  2. 20071107(stolen) -- another laptop stolen from library. Students are far too trusting that their laptop will still be there when they walk away.
  3. 20071107(vnc) -- port 5900 (VNC) scanning by local system. IRC botnet C&C in China. It would help if folks kept track of the malware identified during a clean up. The user reported the .exe and I was able to track that as an IRCbotnet, then from flowdata was able to identify the server.
  4. 20071116(passwd) -- false alarm. User left town with a lab machine connected to the wireless. Wondered who was using his password when we raised alarms on the system.
  5. 20071116(sql) -- student identifies an SQL injection vulnerability in a local application. Many thanks for letting us know.
  6. 20071116(xss) -- student identifies Cross Site Scripting vulnerability in Angel. Vendor fix provided.
  7. 20071119(spam) -- spamming of president.
  8. 20071123(php-spam) -- port 25 scanning, turns out to be a PHP compromise (injection)
  9. 20071125(web-scannning) -- excessive scanning from two club machines, turns out to be a poorly written script for some "Stats class". Scanning should not be done without the permission of those scanned.

  A pretty quite month.

• My blotter of significant security events in Dec, 2007:
  1. 20071202(dns) -- accurate DNS data, especially contacts, is essential. We had a site with two similarly named systems. One was an orphan that the listed contact no longer knew about. Check DNS name and IP numbers carefully during any incident response -- you might be looking at the wrong system.
  2. 20071217(storm) -- probable Storm Worm. System with lots of infections -- I'm surprised at how tolerant folks are of obviously infected systems. I'd recommend that you periodically do a full scan with SAV especially on lab machines, those managed by students, etc. And over the holiday there were lots of "greeting card" instances of the Storm Worm.
  3. 20071218(scan) -- a couple of residence systems scanning for port 135 on non-routable nets (192.168.*), no details on what they were up to.
  4. 20071218(ssh) -- ssh scanning detected. IRCbotnet connection discovered. Dumb password on userid 'postgres'. All support accounts should have passwords, impossible shells, deny controls, etc. to control access.
  5. 20071218(trojan) -- OS/X system infected with a version of the FreeVideo Trojan. Be careful about letting your kids have access to your system (of any flavor) and teach them to not be suckered by "free" software from untrusted sites.

  Over the holiday period it was pretty quiet (thankfully). We did have lots of SSH scans -- every system at 202.28.7.* attacked us on Dec 22 ... weird.

  Did you turn off your workstation before leaving for the vacation?

---

Finally, if you have any questions/concerns or need help please let us know.

Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070

Contact Us | Give Us Feedback | Privacy Statement