CERT Coordination Center 1997 Annual Report

From January through December 1997, the CERT/CC received 39,626 email messages and 1,058 hotline calls reporting computer security incidents or requesting information. We received 326 vulnerability reports and handled 2,134 computer security incidents during this period. More than 146,484 sites were affected by these incidents.

Some of the most serious intruder activities reported to the CERT/CC in 1997 were:

• IMAP attacks
  Throughout the year, we received reports of IMAP attacks. Intruders launched (and continue to launch) large-scale, automated scans against many networks and identify many potentially vulnerable systems. Successful IMAP attacks enable intruders to gain root-level access (super-user privileges). The CERT/CC wrote an advisory on the problem (CA-97.09). We also issued a special edition CERT Summary CS-97.04 concerning this problem.
• Denial-of-service attacks
  This year we received more frequent and varied reports of denial-of-service attacks. Intruders are exploiting vulnerabilities addressed in various CERT advisories, and are using IP spoofing to hide the origin of the attacks. We published "Denial of Service," a tech tip that provides an overview of denial-of-service attacks and information that may help you respond to them.
  
  Additionally, we received reports of denial-of-service attacks that are the results of an intruder creating an "UDP packet storm" either on a system or between two systems. An attack on one host causes that host to perform poorly. An attack between two hosts can cause extreme network congestion in addition to adversely affecting host performance.
  
• cgi-bin exploits
  CGI scripts continue to be exploited in 1997 as they were in 1996. The most frequently reported exploitation attempts involve the "phf" program. Intruders continue to use widely available "phf" exploit scripts to attempt to obtain a copy of the /etc/passwd file. Fortunately, many of the reported attempts are unsuccessful. However, intruders are now exploiting "phf" to execute a broad range of commands. As a result, they are able to add or modify files and create terminal windows.
  
  In addition, "php" is being exploited. Similar attacks may succeed against other CGI scripts if the scripts are written without appropriate care regarding security issues. The cause of the problem is not in the CGI scripting language (such as Perl and C), but how the script is written. Advisories about CGI scripts include CA-96.06, CA-96.11, CA-97.07, CA-97.12, CA97.24, and CA-97.25.
  
• Attacks against news servers
  This year, there were widespread, large-scale attacks on NNTP (Network News Transport Protocol) servers throughout the world. NNTP servers are commonly referred to as USENET news servers. Because of increased attacks, we published an advisory (CA-97.08) and a special edition CERT Summary CS-97.02.
  
  The activity involves an attempt to exploit a vulnerability in versions of INN (InterNetNews) prior to 1.5.1. INN is a commonly used software program for serving and managing news according to the NNTP protocol. This vulnerability allows remote users to execute arbitrary commands on the news server with the same privileges as the user-id that manages the news server.
  
• Root compromises
  In 1997, we continued to receive daily reports of sites that have suffered root compromises. Many of these compromises can be traced to systems that are unpatched or misconfigured, which the intruders exploit using well-known vulnerabilities for which CERT advisories have been published. In the 4th quarter 1997, 13% of the incidents reported to the CERT/CC involved root compromises.
• Linux exploits
  We continue to see incidents in which Linux machines have been the victims of root compromises. In many of these incidents, the compromised systems were unpatched or misconfigured, and the intruders exploited well-known vulnerabilities for which CERT advisories and Linux newsgroup posts or announcements have been published.
• Increased exploitation of IRIX buffer overflows
  Buffer overflow vulnerabilities on IRIX systems are being exploited in many incidents reported to the CERT/CC. These vulnerabilities are described in a 1997 CERT advisory (CA-97.21). Vulnerable programs discussed in the advisory include df, pset, eject, login/scheme, ordist, and xlock.
• Increased use of IRC in root compromises
  We received numerous reports that intruders are compromising machines at the root level and then installing Internet Relay Chat (IRC) clients or servers. We published an Intruder Detection Checklist that allows you to check for signs of compromise.