-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2001.02  --  AUSCERT ALERT
    NIPC Advisory 01-003 - Update to NIPC Advisory 00-060 (ESB-2000.389) 
                        E-Commerce Vulnerabilities
                               9 March 2001

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:                Microsoft IIS, Microsoft SQL Server 7.0
                        Microsoft Data Engine 1.0
                        Internet Information Service 5.0
Vendor:                 Microsoft
Operating System:       MS Windows Server Platforms
Impact:                 Access Confidential Data
                        Execute Arbitrary Code/Commands
Access Required:        Remote

Ref:                    ESB-2000.389
                        ESB-2000.384

Summary:

The following information is an update to NIPC Advisory 00-060 E-Commerce 
Vulnerabilities.  AusCERT is issuing this external security bulletin as
an AusCERT Alert to emphasize the significance of vulnerabilities listed.
This alert is also intended to draw attention to the increased activity
seen involving exploitation of these problems particularly in relation to
e-commerce or e-finance/banking sites. 

The SANS Institute have also released an alert "Large Criminal Hacker 
Attack on Windows NTE-Banking and E-Commerce Site" which contains further
information and is available at:

         http://www.sans.org/newlook/alerts/NTE-bank.htm


- --------------------------BEGIN INCLUDED TEXT--------------------
 Subject:  Update to NIPC Advisory 00-060 “E-Commerce Vulnerabilities”
                     (ADVISORY 01-003) 8 March 2001

This advisory is an update to the NIPC Advisory 00-060, "E-Commerce
Vulnerabilities", dated December 1, 2000.   Since the advisory was
published, the FBI has continued to observe hacker activity targeting
victims associated with e-commerce or e-finance/banking businesses.  In
many cases, the hacker activity had been ongoing for several months
before the victim became aware of the intrusion.   The NIPC emphasizes
the recommendation that all computer network systems administrators
check relevant systems and consider applying the updated patches as
necessary, especially for systems related to e-commerce or
e-banking/financial businesses.  The patches are available on Microsoft
s web site, and users should refer to the URLs listed below.

The following vulnerabilities have been previously reported:

Unauthorized Access to IIS Servers through Open Database Connectivity
(ODBC) Data Access with Remote Data Service (RDS):
Systems Affected: Windows NT running IIS with RDS enabled.
Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes 99-22

http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
http://www.nipc.gov/warnings/advisories/1999/99-027.htm,
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary:  Allows unauthorized users to execute shell commands on the IIS
system as a privileged use; Allows unauthorized access to secured,
non-published files on the IIS system; On a multi-homed
Internet-connected IIS systems, using Microsoft Data Access Components
(MDAC), allows unauthorized users to tunnel Structured Query Language
(SQL) and other ODBC data requests through the public connection to a
private back-end network.

SQL Query Abuse Vulnerability
Affected Software Versions: Microsoft SQL Server Version 7.0 and
Microsoft Data Engine (MSDE) 1.0
Details:  Microsoft Security Bulletin MS00-14, NIPC CyberNotes 20-05

http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary:  The vulnerability could allow the remote author of a malicious
SQL query to take unauthorized actions on a SQL Server or MSDE database.

Registry Permissions Vulnerability
Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0 Server
Details:  Microsoft Security Bulletin MS00-008, NIPC CyberNotes 20-08
and 20-22

http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: Users can modify certain registry keys such that:

" a malicious user could specify code to launch at system crash
" a malicious user could specify code to launch at next login
" an unprivileged user could disable security measures

Web Server File Request Parsing

While they have not been shown to be a vector for the current attacks,
Microsoft has advised us that the vulnerabilities addressed by Microsoft
bulletin MS00-086 are very serious, and we encourage web site operators
to consider applying the patch provided with this bulletin as well as
the three that are under active exploitation.

http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary:  The vulnerability could allow a malicious user to run system
commands on a web server.

New Information: In addition to the above exploits, several filenames
have been identified in connection with the intrusions, specific to
Microsoft Windows NT systems.  The presence of any of these files on
your system should be reviewed carefully because they may indicate that
your system has been compromised:
ntalert.exe
sysloged.exe
tapi.exe
20.exe
21.exe
25.exe
80.exe
139.exe
1433.exe
1520.exe
26405.exe
i.exe

In addition, system administrators may want to check for the
unauthorized presence of any of the following executable files, which
are often used as hacking tools:
lomscan.exe
mslom.exe
lsaprivs.exe
pwdump.exe
serv.exe
smmsniff.exe

Recipients of this Advisory are encouraged to report computer crime to
the NIPC Watch at (202) 323-3204/3205/3206.  Incidents may also be
reported online at www.nipc.gov/incident/cirr.htm.

- --------------------------END INCLUDED TEXT--------------------

This alert is provided as a service to AusCERT's members.  As AusCERT did
not write the document quoted above, AusCERT has had no control over its   
content.  The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the alert.  It may not be
updated when updates to the original are made.  If downloading at a later
date, it is recommended that the alert is retrieved directly from the
original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the alert above.  If you have any questions or need further information,
please contact them directly.

Previous advisories, alerts and external security bulletins can be 
retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOqjYHih9+71yA2DNAQHppAP/WzXlbmLiXDyXjVy2Bk6ZAD7UJRHWpnSh
1fKHNQSzYKLhK5WbzV4QN40EuNyD1aqoxvjqoXB/Gan/Hdh3LaCHN77H/uoSlSe6
S2wDRx9H5qCgGe7ulamLQHr/uO5RfBaQH1cgq2PKoKcBPawAKQ3AjgrZph6ut8YI
OmOQh3Q1r3U=
=kRxc
-----END PGP SIGNATURE-----