Hopefully, none of our colleagues have exported the port of a CVS server
through their firewall. An example setup which might be likely to experience
malicious abuse would be allowing direct read only anonymous access to a CVS
server. See attached.
Jeff
>>-----BEGIN PGP SIGNED MESSAGE-----
>>
>>A DOE site reported that one of their systems was quite likely
>>compromised through a recently announced CVS vulnerability. They
>>discovered this because a second DOE site reported seeing probes for
>>the vulnerability by several foreign IP addresses. Those IP addresses
>>and the UTC times that were seen at the second site
>>are:
>>
>>May 23 17:43:29 62.87.235.95
>>May 23 19:03:24 217.96.8.158
>>May 23 20:09:53 217.120.30.217
>>May 23 20:24:35 218.42.151.179 *
>>May 23 20:49:28 80.139.250.197 *
>>May 24 10:53:41 82.149.228.89 *
>>May 24 10:59:04 82.149.228.89 *
>>May 24 13:42:48 213.149.96.50
>>May 24 14:11:09 217.120.30.217
>>May 24 16:34:46 62.80.126.39
>>
>>
>>The three IP addresses with "*" were also seen on the compromised
>>system at the first DOE site. The second site also reported that the
>>sequence of CVSROOT directories tried is precisely the sequence in the
>>exploit code which can be seen at
>>
>>http://packetstormsecurity.nl/0405-exploits/cvs_linux_freebsd_HEAP.c
>>
>>CIAC suggests that the DOE sites look for suspicious connections with
>>these and other IP addresses to their CVS servers. Vulnerable servers
>>can be patched according to CIAC Bulletin O-147: Linux CVS Server Heap
>>Overflow Vulnerability.
>>
>>
>>
>>________________________________________________________________________
>> The Computer Incident Advisory Capability
>> ___ __ __ _ ___
>> / | / \ /
>> \___ __|__ /___\ \___
>>______________________________________________________________________
Jeff
__________________________________________________________
Jeffrey O. Hill Mail [email protected]
LANL MS H820 Voice 505 665 1831
Los Alamos NM 87545 USA Fax 505 665 5107
- Navigate by Date:
- Prev:
EtherIP & AB PLC's D Wetherholt
- Next:
RE: EtherIP & AB PLC's Rarback, Harvey
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
<2004>
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
RE: EtherIP & AB PLC's Rarback, Harvey
- Next:
help building StripTool and caSnooper under EPICS R3.14.6 Kevin Tsubota
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
<2004>
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
|