-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AL-98.01                        AUSCERT Alert
			  multiscan ('mscan') Tool
                                20 July 1998

Last Revised: --
- ---------------------------------------------------------------------------

AusCERT has received reports indicating a recent and substantial
increase in network scanning activity.  It is believed that intruders
are using a new tool called 'Multiscan' or 'mscan'.  This tool
enables the user to scan whole domains and complete ranges of IP
addresses to discover well-known vulnerabilities.

Information concerning this tool has been made publicly available.

AUSCERT recommends that sites take the steps outlined in section
3 as soon as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    AusCERT has received reports indicating a recent and substantial
    increase in network scanning activity.  It is believed that
    intruders are using a new tool called 'Multiscan' or 'mscan'.
    This tool enables the user to scan whole domains and complete
    ranges of IP addresses to discover well-known vulnerabilities
    in the following services:

    	statd
    	nfs
    	cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test')
    	X
    	POP3
    	IMAP
    	Domain Name Servers
    	finger

    The 'mscan' documentation mentions the domain 'org.au' as an
    example and therefore this domain may be used as a first test
    case.  Therefore, sites should expect more frequent scans of
    this domain.

    'mscan' also provides information to the user which may be useful in 
    hiding their probe attempts against a subnet by bouncing their scans off
    hosts identified as running the application 'wingate'.

    It is worth noting that mscan can only scan hosts that are
    visible on the network.  External users can not probe hosts
    behind a suitably configured firewall.

2.  Impact

    'mscan' attempts to detect exploitable vulnerabilities on target
    hosts within complete ranges of IP addresses and presents this
    information to the user in a report.  This information may be
    used by an intruder in further attacks against vulnerable hosts.

3.  Workarounds/Solution

3.1 Detection

    The following events may be indicate that your site has been
    probed using 'mscan' or other similar scanning tools.  In any 
    case, this is likely to be a prelude to a subsequent attack:

	Evidence of systematic scans of all IP addresses within a
	domain or repeated DNS-lookups of all hosts on a subnet.

	Evidence of Zone transfers from a domain name server to
    	unknown/untrusted destinations.

    	Evidence of systematic probes (from the same IP address/origin)
    	of the services:

    		statd
    		nfs
    		cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test')
    		X
    		POP3
    		IMAP
    		Domain Name Servers
    		finger
		The lp account


3.2 Protection

    Please note that securing your hosts against the vulnerabilities
    tested for by mscan does not necessarily make your hosts secure.
    It is imperative that you continue to take all of the usual
    security measures, like applying all security patches and
    performing regular monitoring activities.

    statd: 

	There are well known problems in certain versions of statd
	which are exploitable remotely.  See the AusCERT Advisory
	at URL:
	
	ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.29.statd.overflow.vul

    nfs:

	NFS exported filesystems may allow an intruder to examine,
	change or add data to a filesystem on your host remotely.
	To deny access to your NFS services from the outside we
	encourage you to consider blocking inbound NFS connections
	at your router.

	For a discussion of security issues concerning NFS see the CERT 
	advisory at URL:

	http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html
	

    cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test'):

	Do not install cgi-bin programs on your web server whose
	security status is dubious.  If you must have cgi-bin
	programs, you should check them for security vulnerabilities
	before installation.

	The AusCERT advisory at the following URL provides useful
	information on this topic:

	ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.01.Vulnerability.in.NCSA.Apache.CGI.example.code

    X: 

	If it is not necessary to allow X-windows connections from
	outside of your site, then secure open X server ports 
	(i.e. 6000+ ) against intrusion by blocking inbound traffic at
	the router.  Sites are encouraged to check their local
	documentation for access control mechanisms such as 'xhost'
	and 'xauth'.

    POP3: 

	POP servers are a good source of information for intruders and 
	failed connections are not always logged.  Enable logging of 
	failed POP server access where possible and monitor these logs
	for any unusual activity such as multiple failed pop attempts.

	Sites should also check that they are not affected by the 'qpopper'
	vulnerability, discussed at URL:

	ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.01.qpopper.buffer.overflow.vul


    IMAP:

	There are well known problems in older versions of IMAP
	which are exploitable remotely.

	See the following advisories and ensure that you are not
	vulnerable to these problems:

	ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.09.imap_pop
	ftp://ftp.auscert.org.au/pub/mirrors/ftp.secnet.com/advisories/SNI-08.IMAP_OVERFLOW.advisory

    	Also see the URL at:

    	http://www.cert.org/advisories/CA-97.09.imap_pop.html


    Domain Name Servers:

	Sites should allow zone transfers only to authorised 
	name servers.  This helps to impede the use of the mscan 
	tool.

	There are also known problems with some versions of BIND.

	See the following advisory and ensure that you are not
	vulnerable to these problems:

        http://www.cert.org/advisories/CA-98.05.bind_problems.html

    finger:

	To stop unauthorised persons from obtaining personal
	information about users on your system, you should to
	disable the 'finger' program. Additionally, is to block
	outside traffic to the 'finger' service at your firewall.

    lp:

	The lp account on some systems (notably IRIX) is distributed
	without a password, and intruders may be able to use this
	for non-authenticated access to a system.  The general solution
	is to 'lock' all non-password accounts, however this may disable
	some key features of your system.  See the following CERT advisory 
	for more information on this topic:

	http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html


4. Additional Information

    The advisory documents at the following URLs:

	ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
	ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines

    may also prove useful in securing your system.

- ---------------------------------------------------------------------------
AusCERT would like to thank the CERT Coordination Centre for reference
material quoted from their Incident Note: IN-98.02.

	See the following URL for the content of that document:

	http://www.cert.org/incident_notes/IN-98.02.html

- ---------------------------------------------------------------------------

The AusCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to
use the information described is the responsibility of each user
or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before
application in conjunction with local policies and procedures.
AusCERT takes no responsibility for the consequences of applying
the contents of this document.

If you believe that your system has been compromised, contact
AUSCERT or your representative in FIRST (Forum of Incident Response
and Security Teams).

AusCERT is located at The University of Queensland within the
Prentice Centre.  AusCERT is a full member of the Forum of Incident
Response and Security Teams (FIRST).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AUSCERT Advisories, and other computer security information.

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au 
Facsimile:      (07) 3365 7031 
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call after
		hours for emergencies.

Postal:  Australian Computer Emergency Response Team 
Prentice Centre
Brisbane 
Qld.  4072.  
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNbSmIih9+71yA2DNAQElIAQAmnNKbnfLj+VZzmGdQ1dNICnUsUnZbkNB
B2AtwSmNKxq2o3+txRJL4BKb/bBgAW5W5UgHBb1pYlHd2+/VGhtQCv2AHqU9O0lu
BbOGtd3NsgWRQkjYxW3eOYHqstY4gafrizRq/qVaxWMyexVaEIK7I9IX4uGwEXwC
v3fdscTg21k=
=K70h
-----END PGP SIGNATURE-----