[SECURITY-L] Ataque contra servidores AIX

Qui Jan 24 14:06:02 -02 2002

Srs. Administradores,

   Por favor, leiam esse alerta do CAIS/RNP e atualizem 
   ugentemente as maquinas AIX sob sua responsabilidade.

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Ataque contra servidores AIX
To: <rnp-alerta em cais.rnp.br>, <rnp-seg em cais.rnp.br>,
	<pop-tech em cais.rnp.br>
Cc: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Date: Thu, 24 Jan 2002 13:24:22 -0200 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----

Prezados,

O CAIS foi notificado hoje da realizacao, com sucesso, de dois ataques
contra servidores AIX da RNP.

Solicitamos a todos os responsaveis por servidores AIX que atualizem seus
sistemas e que fiquem alertas a tentativas de invasao. Qualquer atividade
suspeita deve ser reportada ao CAIS.

Vale ressaltar que em Outubro de 2001 o CAIS publicou um alerta sobre uma
serie de vulnerabilidades e ferramentas de ataque envolvendo a plataforma
AIX.  Recomenda-se fortemente a leitura desse alerta, disponivel em:

http://www.rnp.br/cais/alertas/2001/cais-ALR-23082001.html

Em anexo esta' o alerta divulgado pela IBM, tratando deste mesmo assunto,
disponivel na seguinte url:

http://www.cert-rs.tche.br/listas/infoseg/msg00696.html

O CAIS possui informacoes suficientes para acreditar que os ataques estao
sendo realizados de forma automatizada, o que faz com que as correcoes
tenham que ser realizadas *urgentemente*.

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

Date: Fri, 24 Aug 2001 15:37:02 -0400
From: IBM MSS Advisory Service <advisory em us.ibm.com>
To: BUGTRAQ em securityfocus.com
Subject: IBM AIX Security Notification: Web site defacements

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -----BEGIN PGP SIGNED MESSAGE-----

IBM AIX Security Notification

Wed, 22 August 2001, 13:50:04 CDT

Over the last few days, the IBM AIX Security Team has become aware of
a hacker group that has been targeting systems running the AIX operating
system, breaking into these systems, and defacing web sites on those
systems.

The tools being used to accomplish the breakins appear to be those
principally written by a Polish hacking crew using the name "Last
Stages of Delirium". Similar tools that take advantage of the same
vulnerabilities are available from elsewhere, too.

We have researched as many as we have been aware of software tools that
are being used to see if any of the vulnerabilities have or have not been
closed under AIX.

So far, we have determined that of all the vulnerabilties these tools
exploit have been fixed by IBM, dating back to 1996. APARs for all of
the vulnerabilities have been available to customers.

Here is a listing of the exploits we know of being used to gain access
to AIX systems during the recent attacks and the AIX version numbers
and APAR numbers associated with the fix for that version:

1. chatmpvc, mkatmpvc, rmatmpvc        4.3, APAR #IY08128
                                       4.2, APAR #IY08288

2. digest                              4.3, APAR #IX74599
                                       4.2, APAR #IX76272
                                       4.1, APAR #IX74457

3. dtaction                            4.3, APAR #IY02944

4. dtprintinfo                         4.3, APAR #IY06367
                                       4.2, APAR #IY06547

5. ftpd                                4.3, APAR #IY04477
                                       4.2, APAR #IX85556
                                       4.1, APAR #IX85555

6. nslookup                            4.3, APAR #IY02120
                                       4.3, APAR #IX9909

7. pdnsd                               Associated product out of service;
                                       Customers avised to disable
                                       and/or uninstall.

8. rpc.ttdbserverd                     4.3, APAR #IX81442
                                       4.2, APAR #IX81441

9. piobe, piomkapqd                    4.3, APAR #IY12638

10. portmir                            4.3, APAR #IY07832

11. sdrd                               SP systems only;
                                       4.3, APAR #IX80724

12. setsenv                            4.3, APAR #IY08812

13. telnetd                            E-fix available;
                                       4.3, IY22029
                                       5.1, IY22021

Affected customers are urged to upgrade the level of their AIX operating
systems and/or apply the APARs listed above to protect their systems.

- - -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQCVAwUBO4P/ewsPbaL1YgqvAQEiXwP/bwThtsNncjiuH6GWsxCR8NLM+fmGNn9x
mk8mSGUOXPzP4o+f1RuGXwxaE6YcEQktcnal5v0VtPnz0u9/Sj6D4nVtsZl+Mh/D
IMgz+ndY1NbyMjaNDxmlPAAOOXL2z3InhZ46nylCWzS7dMAnJxtN5WhnsYmkAO5d
ReTJOZ3LdzQ=
=rJ4O
- - -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPFAnLukli63F4U8VAQHcyAP+PkNDg6qr99zHzcUWquoVrP3RT/UL7ROl
ndLZFRuSmEcpql/2MQdkuYoC6u7gHS7Y9p+UJq3SpQKWTY1OqYcx7egnZFC8Emsk
/zroE/V4X+d3j74KAJEyeiwhkyMg3RsG9KASwVzvL6sW+KimNqb9eHELDtpqpVLW
ByLJnZreuwM=
=BIdG
-----END PGP SIGNATURE-----

----- End forwarded message -----