IBM AIX Security Notification: Web site defacements

From: IBM MSS Advisory Service (advisoryat_private)
Date: Fri Aug 24 2001 - 12:37:02 PDT

  • Next message: Joel Maslak: "Re: Cisco Security Advisory: CBOS Web-based Configuration Utility Vulnerability" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----

IBM AIX Security Notification

Wed, 22 August 2001, 13:50:04 CDT


Over the last few days, the IBM AIX Security Team has become aware of
a hacker group that has been targeting systems running the AIX operating
system, breaking into these systems, and defacing web sites on those
systems.

The tools being used to accomplish the breakins appear to be those
principally written by a Polish hacking crew using the name "Last
Stages of Delirium". Similar tools that take advantage of the same
vulnerabilities are available from elsewhere, too.

We have researched as many as we have been aware of software tools that
are being used to see if any of the vulnerabilities have or have not been
closed under AIX.

So far, we have determined that of all the vulnerabilties these tools
exploit have been fixed by IBM, dating back to 1996. APARs for all of
the vulnerabilities have been available to customers.

Here is a listing of the exploits we know of being used to gain access
to AIX systems during the recent attacks and the AIX version numbers
and APAR numbers associated with the fix for that version:

1. chatmpvc, mkatmpvc, rmatmpvc        4.3, APAR #IY08128
                                       4.2, APAR #IY08288

2. digest                              4.3, APAR #IX74599
                                       4.2, APAR #IX76272
                                       4.1, APAR #IX74457

3. dtaction                            4.3, APAR #IY02944

4. dtprintinfo                         4.3, APAR #IY06367
                                       4.2, APAR #IY06547

5. ftpd                                4.3, APAR #IY04477
                                       4.2, APAR #IX85556
                                       4.1, APAR #IX85555

6. nslookup                            4.3, APAR #IY02120
                                       4.3, APAR #IX9909

7. pdnsd                               Associated product out of service;
                                       Customers avised to disable
                                       and/or uninstall.

8. rpc.ttdbserverd                     4.3, APAR #IX81442
                                       4.2, APAR #IX81441

9. piobe, piomkapqd                    4.3, APAR #IY12638

10. portmir                            4.3, APAR #IY07832

11. sdrd                               SP systems only;
                                       4.3, APAR #IX80724

12. setsenv                            4.3, APAR #IY08812

13. telnetd                            E-fix available;
                                       4.3, IY22029
                                       5.1, IY22021

Affected customers are urged to upgrade the level of their AIX operating
systems and/or apply the APARs listed above to protect their systems.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQCVAwUBO4P/ewsPbaL1YgqvAQEiXwP/bwThtsNncjiuH6GWsxCR8NLM+fmGNn9x
mk8mSGUOXPzP4o+f1RuGXwxaE6YcEQktcnal5v0VtPnz0u9/Sj6D4nVtsZl+Mh/D
IMgz+ndY1NbyMjaNDxmlPAAOOXL2z3InhZ46nylCWzS7dMAnJxtN5WhnsYmkAO5d
ReTJOZ3LdzQ=
=rJ4O
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBO4U7xsXrSKQHhgFwEQI83ACgkJe8X7dB1Idq+eOHt2Ny9S32v2sAnAnK
eLPoPRmqRy6yxQrwVS03v9wp
=DyIo
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 14:21:18 PDT