[aru-ufmg] RES: [SECURITY-L] Ataque contra servidores AIX

  • From: Luiz Carlos Pereira de Freitas <lfreitas@xxxxxxxxxxxxxxxxxxxxx>
  • To: "'aru-ufmg@xxxxxxxxxxxxx'" <aru-ufmg@xxxxxxxxxxxxx>
  • Date: Mon, 28 Jan 2002 08:59:45 -0300

Fabio,
 Obrigado pela informa=E7=E3o.

Ats,
Luiz Carlos.

-----Mensagem original-----
De: fabior@xxxxxxx [mailto:fabior@xxxxxxx]
Enviada em: s=E1bado, 26 de janeiro de 2002 20:27
Para: aru-ufmg@xxxxxxxxxxxxx
Assunto: [aru-ufmg] [SECURITY-L] Ataque contra servidores AIX



Luiz,

Talvez isto seja interessante para vc. E para mais alguem que use AIX
aqui...;-)

[]s

Fabio Rodrigues
fabior@xxxxxxx

----- Original Message -----
From: "Daniela Regina Barbetti" <daniela@xxxxxxxxxxxxxxxx>
To: <security-l@xxxxxxxxxx>
Cc: <uni-adm@xxxxxxxxxxxxxxxx>
Sent: Thursday, January 24, 2002 14:06
Subject: [SECURITY-L] Ataque contra servidores AIX


Srs. Administradores,

   Por favor, leiam esse alerta do CAIS/RNP e atualizem
   ugentemente as maquinas AIX sob sua responsabilidade.


----- Forwarded message from Centro de Atendimento a Incidentes de =
Seguranca
<cais@xxxxxxxxxxx> -----

From: Centro de Atendimento a Incidentes de Seguranca =
<cais@xxxxxxxxxxx>
Subject: CAIS-Alerta: Ataque contra servidores AIX
To: <rnp-alerta@xxxxxxxxxxx>, <rnp-seg@xxxxxxxxxxx>,
<pop-tech@xxxxxxxxxxx>
Cc: Centro de Atendimento a Incidentes de Seguranca <cais@xxxxxxxxxxx>
Date: Thu, 24 Jan 2002 13:24:22 -0200 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS foi notificado hoje da realizacao, com sucesso, de dois ataques
contra servidores AIX da RNP.

Solicitamos a todos os responsaveis por servidores AIX que atualizem =
seus
sistemas e que fiquem alertas a tentativas de invasao. Qualquer =
atividade
suspeita deve ser reportada ao CAIS.

Vale ressaltar que em Outubro de 2001 o CAIS publicou um alerta sobre =
uma
serie de vulnerabilidades e ferramentas de ataque envolvendo a =
plataforma
AIX.  Recomenda-se fortemente a leitura desse alerta, disponivel em:

http://www.rnp.br/cais/alertas/2001/cais-ALR-23082001.html

Em anexo esta' o alerta divulgado pela IBM, tratando deste mesmo =
assunto,
disponivel na seguinte url:

http://www.cert-rs.tche.br/listas/infoseg/msg00696.html

O CAIS possui informacoes suficientes para acreditar que os ataques =
estao
sendo realizados de forma automatizada, o que faz com que as correcoes
tenham que ser realizadas *urgentemente*.

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais@xxxxxxxxxxx     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


Date: Fri, 24 Aug 2001 15:37:02 -0400
From: IBM MSS Advisory Service <advisory@xxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: IBM AIX Security Notification: Web site defacements

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -----BEGIN PGP SIGNED MESSAGE-----

IBM AIX Security Notification

Wed, 22 August 2001, 13:50:04 CDT


Over the last few days, the IBM AIX Security Team has become aware of
a hacker group that has been targeting systems running the AIX =
operating
system, breaking into these systems, and defacing web sites on those
systems.

The tools being used to accomplish the breakins appear to be those
principally written by a Polish hacking crew using the name "Last
Stages of Delirium". Similar tools that take advantage of the same
vulnerabilities are available from elsewhere, too.

We have researched as many as we have been aware of software tools that
are being used to see if any of the vulnerabilities have or have not =
been
closed under AIX.

So far, we have determined that of all the vulnerabilties these tools
exploit have been fixed by IBM, dating back to 1996. APARs for all of
the vulnerabilities have been available to customers.

Here is a listing of the exploits we know of being used to gain access
to AIX systems during the recent attacks and the AIX version numbers
and APAR numbers associated with the fix for that version:

1. chatmpvc, mkatmpvc, rmatmpvc        4.3, APAR #IY08128
                                       4.2, APAR #IY08288

2. digest                              4.3, APAR #IX74599
                                       4.2, APAR #IX76272
                                       4.1, APAR #IX74457

3. dtaction                            4.3, APAR #IY02944

4. dtprintinfo                         4.3, APAR #IY06367
                                       4.2, APAR #IY06547

5. ftpd                                4.3, APAR #IY04477
                                       4.2, APAR #IX85556
                                       4.1, APAR #IX85555

6. nslookup                            4.3, APAR #IY02120
                                       4.3, APAR #IX9909

7. pdnsd                               Associated product out of =
service;
                                       Customers avised to disable
                                       and/or uninstall.

8. rpc.ttdbserverd                     4.3, APAR #IX81442
                                       4.2, APAR #IX81441

9. piobe, piomkapqd                    4.3, APAR #IY12638

10. portmir                            4.3, APAR #IY07832

11. sdrd                               SP systems only;
                                       4.3, APAR #IX80724

12. setsenv                            4.3, APAR #IY08812

13. telnetd                            E-fix available;
                                       4.3, IY22029
                                       5.1, IY22021

Affected customers are urged to upgrade the level of their AIX =
operating
systems and/or apply the APARs listed above to protect their systems.

- - -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQCVAwUBO4P/ewsPbaL1YgqvAQEiXwP/bwThtsNncjiuH6GWsxCR8NLM+fmGNn9x
mk8mSGUOXPzP4o+f1RuGXwxaE6YcEQktcnal5v0VtPnz0u9/Sj6D4nVtsZl+Mh/D
IMgz+ndY1NbyMjaNDxmlPAAOOXL2z3InhZ46nylCWzS7dMAnJxtN5WhnsYmkAO5d
ReTJOZ3LdzQ=3D
=3DrJ4O
- - -----END PGP SIGNATURE-----




-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPFAnLukli63F4U8VAQHcyAP+PkNDg6qr99zHzcUWquoVrP3RT/UL7ROl
ndLZFRuSmEcpql/2MQdkuYoC6u7gHS7Y9p+UJq3SpQKWTY1OqYcx7egnZFC8Emsk
/zroE/V4X+d3j74KAJEyeiwhkyMg3RsG9KASwVzvL6sW+KimNqb9eHELDtpqpVLW
ByLJnZreuwM=3D
=3DBIdG
-----END PGP SIGNATURE-----



----- End forwarded message -----

_______________________________________________
SECURITY-L mailing list
http://obelix.unicamp.br/mailman/listinfo/security-l


*******************************************************************
Subscribe List:
mailto:aru-ufmg-request@xxxxxxxxxxxxx?subject=3Dsubscribe
Unsubscribe List:
mailto:aru-ufmg-request@xxxxxxxxxxxxx?subject=3Dunsubscribe
Archives:
http://www.freelists.org/archives/aru-ufmg/
*******************************************************************
Subscribe List:
mailto:aru-ufmg-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe List:
mailto:aru-ufmg-request@xxxxxxxxxxxxx?subject=unsubscribe
Archives:
http://www.freelists.org/archives/aru-ufmg/

Other related posts:

  • » [aru-ufmg] RES: [SECURITY-L] Ataque contra servidores AIX