CERT Coordination Center 1996 Annual Report

From January through December 1996, the CERT Coordination Center received 31,268 email messages and 2,062 hotline calls reporting computer security incidents or requesting information. We received 345 vulnerability reports and handled 2,573 computer security incidents during this period. More than 10,700 sites were affected by these incidents. When a security breach occurs, the CERT incident response staff helps affected sites to identify and correct problems in their systems and to develop system safeguards and security policies. We coordinate with other sites affected by the same incident and, when an affected site explicitly requests, we facilitate communication with law enforcement and investigative agencies.

When we receive a vulnerability report, CERT vulnerability experts analyze the potential vulnerability, working with technology producers and vendors. We advise them of security deficiencies in their products, help them to resolve the problems, and facilitate the distribution of corrections to other response teams and to the Internet community at large.

Below, we describe some of the most serious intruder activities reported to the CERT/CC in 1996. Unfortunately, we continue to see the same problems in 1997.

• cgi-bin/phf exploits
  At least weekly, and often daily, we saw reports of password files being obtained illegally by intruders who exploited a vulnerability in the PHF cgibin script. The phf program, which is installed by default with several implementations of httpd servers, contains a weakness that can allow intruders to execute arbitrary commands on the server. The most common attack involved an attempt to retrieve the httpd server's /etc/passwd file. Once the intruders retrieved the password file, they often attempted to crack the passwords found in the file. Sample scripts for exploiting this phf vulnerability have been widely posted on the Internet. We were encouraged to see that many of the attacks reported at the end of the year failed (because the attacked sites had already removed the phf program). However, the steady reports of continuing attacks indicated that these phf exploits were still being widely attempted. • Linux exploits We saw an increase this year in break-ins and root compromises of Linux machines. In some cases, the intruders installed packet sniffers. In many of these incidents, the systems were misconfigured and/or the intruders exploited well-known vulnerabilities for which CERT advisories or Linux newsgroup posts or announcements had been published.
• Linux exploits
  We saw an increase this year in break-ins and root compromises of Linux machines. In some cases, the intruders installed packet sniffers. In many of these incidents, the systems were misconfigured and/or the intruders exploited well-known vulnerabilities for which CERT advisories or Linux newsgroup posts or announcements had been published.
• Denial-of-service attacks
  Instructions for executing denial-of-service attacks and programs (exploitation scripts) for implementing such attacks were widely distributed this year. After this information was published, we noticed a significant and rapid increase in the number of denial-of-service attacks executed against sites. Intruders created TCP half-open connections, easily accomplished with IP spoofing. As a result, the data structure of the victim's server filled up, rendering the system unable to accept new incoming connections. Network service providers were often the targets for these attacks.