Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
<== Date ==> <== Thread ==>

Subject: CVS vulnerability
From: "Jeff Hill" <johill@lanl.gov>
To: <tech-talk@aps.anl.gov>
Date: Fri, 28 May 2004 15:11:11 -0600
Hopefully, none of our colleagues have exported the port of a CVS server
through their firewall. An example setup which might be likely to experience
malicious abuse would be allowing direct read only anonymous access to a CVS
server. See attached.

Jeff

>>-----BEGIN PGP SIGNED MESSAGE-----
>>
>>A DOE site reported that one of their systems was quite likely 
>>compromised through a recently announced CVS vulnerability. They 
>>discovered this because a second DOE site reported seeing probes for 
>>the vulnerability by several foreign IP addresses. Those IP addresses 
>>and the UTC times that were seen at the second site
>>are:
>>
>>May 23 17:43:29 62.87.235.95
>>May 23 19:03:24 217.96.8.158
>>May 23 20:09:53 217.120.30.217
>>May 23 20:24:35 218.42.151.179 *
>>May 23 20:49:28 80.139.250.197 *
>>May 24 10:53:41 82.149.228.89 *
>>May 24 10:59:04 82.149.228.89 *
>>May 24 13:42:48 213.149.96.50
>>May 24 14:11:09 217.120.30.217
>>May 24 16:34:46 62.80.126.39
>>
>>
>>The three IP addresses with "*" were also seen on the compromised 
>>system at the first DOE site. The second site also reported that the 
>>sequence of CVSROOT directories tried is precisely the sequence in the 
>>exploit code which can be seen at
>>
>>http://packetstormsecurity.nl/0405-exploits/cvs_linux_freebsd_HEAP.c
>>
>>CIAC suggests that the DOE sites look for suspicious connections with 
>>these and other IP addresses to their CVS servers. Vulnerable servers 
>>can be patched according to CIAC Bulletin O-147: Linux CVS Server Heap 
>>Overflow Vulnerability.
>>
>>
>>
>>________________________________________________________________________
>>                The Computer Incident Advisory Capability
>>                           ___ __ __   _    ___
>>                          /      |    / \  /
>>                          \___ __|__ /___\ \___ 
>>______________________________________________________________________

Jeff
__________________________________________________________
Jeffrey O. Hill               Mail         JOHill@lanl.gov
LANL MS H820                  Voice        505 665 1831
Los Alamos NM 87545 USA       Fax          505 665 5107





Navigate by Date:
Prev: EtherIP & AB PLC's D Wetherholt
Next: RE: EtherIP & AB PLC's Rarback, Harvey
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
Navigate by Thread:
Prev: RE: EtherIP & AB PLC's Rarback, Harvey
Next: help building StripTool and caSnooper under EPICS R3.14.6 Kevin Tsubota
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
ANJ, 10 Aug 2010 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·