NISER > Alerts > MyCERT Advisories & Summaries > MS-023.032001: MyCERT Summary
MS-023.032001: MyCERT Summary
Original Issue Date: 14th March 2001
Each quarter, the MyCERT issues the MyCERT Summary to highlight the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems.
Starting from the end of the year 2000 holidays until early March 2001, we have been receiving continued compromises via well-known vulnerabilities in WinNT IIS 4.0 unicode and RDS, and recently discovered wuftpd on Linux. Notable virus activity includes W32/Hybris and MTX worm.
The exploits had been targeted at mainly web servers with web defacing motives. Next common targets are any UNIX servers for the purpose of running eggbots and irc proxies. Signs of intrusion ranges from added userid to rootkit binaries.
Below are the TOP common exploits that are still prevalent in many servers in this region:
1. IIS 4.0 Web Defacement
MyCERT has learned of most common IIS 4.0 Web defacement. The exploit is via the unpatched MDAC MS Data Access Components which are commonly installed by default. This exploit can be conducted despite having firewall installed since it is via tcp port 80, which is often than not opened for web access.
Microsoft Data Access Components (MDAC) is a package used to integrate web and ODBC Data Access services. It includes a component named Remote Data Services (RDS). RDS allows remote access via the internet to database objects through IIS. Both are included in a default installation of the Windows NT 4.0 Option Pack. This is an old exploit discussed as early as April 22, 1998 as shown in CERT/CC Incident Notes which provides links to:
To detect such attacks log reviewing is necessary. For IIS 4.0, the logs can be retrieved at the following directory:
The sign of the intrusion will be similar to the following:
Users of IIS 4.0 are urged to remove the services if not required, or patch. More information on how to secure or disable the MDAC service is available at:
Enhance the security of your NT server. Please refer to these links for guidelines:
2. Multiple Linux platform exploit
We have also seen growing numbers of three similar exploits on multiple Linux platform, which are via the wu-ftpd remote format string stack overwrite vulnerability, multiple linux vendor rpc_statd remote format string vulnerability and multiple server LPRng user-supplied format string vulnerability. The vulnerabilities allow a remote user to gain root access to the server merely via anonymous FTP.
Those supporting multiple Linux platform are advised to refer to the following advisories on upgrades and configuration fixes.
Wu-Ftpd Remote Format String Stack Overwrite Vulnerability
Multiple Linux Vendor rpc_statd Remote Format String Vulnerability
Multiple Server LPRng User-Supplied Format String Vulnerability
3. W32/Hybris and MTX Worm
MyCERT has received continuous reports of virus Hybris Worm and MTX worm, which upon execution, it sends a copy of itself as an email file attachment. Some of the reports indicated degradation in their network performance.
For information on how to prevent or recover from W32/Hybris and MTX worm infection, please see:
CERT Incident Note Open mail relays used to deliver "Hybris Worm"
MA-023.102000 : MTX Worm
More information on the above Viruses from the respective vendors are available at the following link:
End users are advised to practice safe email use and to configure the outlook express to prevent from becoming worm handlers. More information is available in the following FAQ
Disclaimers and copyright information
Last Update April 19, 2001