For further information, please see:
July 25, 2008
DNS Vulnerability Announced
Recently, a major DNS vulnerability was discovered (see http://www.kb.cert.org/vuls/id/800113 for further details). Servers on campus which were found to be running DNS servers were scanned and notices sent to administrators if their servers were found to be vulnerable. If you have any questions concerning this issue, please contact security@tamu.edu
July 15, 2008
Even More Phishing
As usual, we will not request such personal and confidential details via e-mail.
NOTE: Reply all mails to- accountupgradedept@live.com ACCOUNT UPGRADE TEAM FINAL VERIFICATION OF YOUR EMAIL ACCOUNT VERIFY YOUR EMAIL ACCOUNT NOW Dear webmail Account Owner, This message is from upgrade team messaging center to all our webmail account owners. We are currently upgrading our data base and webmail account center. We are deleting all our webmail accounts to create more space for new accounts. To prevent your account from closing you will have to update it below so that we will know that it's a presently used account. We have been sending this notice to all our webmail account owners and this is the last notice/verification exercise. CONFIRM YOUR WEBMAIL IDENTITY BELOW Email Username : .......... ..... Email Password : ................ Date of Birth : ................. Country or Territory : .......... Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently. Thank you for using our webmail Warning Code:XXXXXXXXX Thanks, Account Upgrade Team. NOTE: Reply all mails to- accountupgradedept@live.com
July 9, 2008
New Phishing Scam on Campus
A new phishing email began circulating on campus today. It appeared to come from Tamu.edu. As always, never provide any personal information to untrusted web sites or in response to an email message.
Subject: Tamu.edu ACCOUNT UPDATE.
Date: Wed, 09 Jul 2008 21:26:33 -1100
From: Tamu.edu
Sender:
pfox@cogeco.ca
Reply-To: Tamu.edu
*To:* (Recipient List Suppressed)
Dear tamu.edu Email Account Owner,
This message is from tamu.edu messaging center to all tamu.edu email account own
ers. We are currently upgrading our data
base and e-mail account center. We are deleting all unused tamu.edu email accoun
t to create more
space for new accounts.
To prevent your account from closing you will have to update it below so that we
will know that it's a presently in
used.
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username : .......... .....
EMAIL Password : ................
Date of Birth : .................
Country or Territory : ..........
Send us the following information through this email address
accountupdatehelp@gmail.com
Warning!!! Account owner that refuses to update his or her account within Seven
days of receiving this warning will lose
his or her account permanently.
Thank you for using tamu.edu!!
Warning Code:VX2G99AAJ
Thanks,
tamu.edu Team
tamu.edu BETA
July 7, 2008
New Citibank Phishing Scam Spreading on Campus
A new phishing email began circulating on campus today. It appeared to come from Citibank. As always, never provide any personal information to untrusted web sites or in response to an email message.
Here is the text of the current phishing scheme
Dear Member, We detected irregular activity on your Citibank Card. For your protection, you must verify your account before you can continue using your card. Please use the link below to verify your account immediately: http://web.da-us.citibank-xv.com/citifi/?scripts/login2/login.jsp Note: PIN not required. Sincerely, S. Larson Customer Service
June 28, 2008
Another New Phishing Scam on Campus
A new phishing email began circulating on campus today. As always, do not respond to this mail, and never provide any personal information to untrusted web sites or in response to an email message.
Here is the text of the current phishing attempt:
Subj: MAINTENANCE UPGRADE Dear Email User, Prior to the unwanted spam in our TAMU webmail service, we have decided to perform maintainance on our site. Our maintainance is based on free Anti-spamming protection for all TAMU users accounts, which is number 10 of our TAMU email/exchange terms and condition. You are to send in your information below in this order: ****************** FULL NAME: USER ID: PASSWORD: ALTERNATE EMAIL: DATE OF BIRTH: SECRET QUESTION: SECRET ANSWER: ****************** This process will help us to fight against spam mails. Failure to submit your TAMU email/exchange Account Details, will render your email address in-active from our database. You can also confirm your email address by logging into your account at: https://email.tamu.edu/ NOTE: You will be notifield in your email password reset message immediately after undergoing this process for security reasons. TAMU Technical System Team
June 6, 2008
Another New Phishing Scam on Campus
A new phishing email began circulating on campus today. As always, do not respond to this mail, and never provide any personal information to untrusted web sites or in response to an email message.
Here is the text of the current phishing attempt:
This is a courtesy reminder that your EPPICard needs to be verified. In order to receive uninterrupted service, please verify your card immediately. To verify your card, please click the link below and follow the provided steps: http://www.eppicardr.com/verify/# Regards, EPPIcard
May 27, 2008
More Targeted Phishing
A&M has been targeted by phishers again. The text of the e-mails are here and here. Additionally, there is a Paypal phishing e-mail making the rounds. It seems to be HTML-only, but the text of the message is here.
May 22, 2008
Another New Phishing Scam on Campus
A new phishing email began circulating on campus today. As always, do not respond to this mail, and never provide any personal information to untrusted web sites or in response to an email message.
Here is the text of the current phishing attempt:
New Login Procedure! On May 20, EPPICard changed the login procedure required to access your account. Your security is of utmost importance. To ensure that logging into your account is more secure, EPPICard has added the Challenge Questions system. Challenge Questions is an additional security piece in addition to the card currently being used. You will have a greater degree of confidence that you are visiting our official website. Enrollment Process: Simply click the link below, and you will be directed to a EPPICard Authentication page where you will have a couple of steps to complete. http://www.eppicardl.com/eppicard/?security You only have to do it once. Changes will be active in 24 hours. It's that easy! All Cardholders are required to activate this feature within 48 hours in order to continue using their cards. Regards, EPPICard
May 21, 2008
Secunia PSI Windows Security Tool
A useful security tool has been released by Secunia for keeping track of updates for software running on Windows. The tool, Secunia Personal Software Inspector, examines a computer for software in its database, determines the software version, and alerts you if there are updates. This could be an invaluable tool for ensuring that software is up-to-date.
Secunia PSI is licensed freely for private use. Secunia NSI (the business version) does have a cost. More information is available at http://psi.secunia.com/.
May 15, 2008
SSH Attacks on the Rise
There has been an increase in brute force SSH attacks on machines on campus. This is also being reported by SANS in their Handler's Diary. If you have port 22 open through the campus firewall for any of your machines, this would be a good time to review the security settings on the server.
07 May 2008
New phishing scam on campus
If you receive e-mail asking you to "CONFIRM YOUR TAMU.EDU EMAIL ACCOUNT IMMEDIATELY!!!", please delete it. As a reminder, we will never ask you to e-mail us your password.
Update 6:00pm
Another phish has been reported, "*****Help Maintainance*****".
As a reminder, please never send sensitive information over e-mail. Thank you for reporting these scams to us.
There is a massive web server compromise effort that has been building for about two weeks now. Please use our self-service scanner and check your web server for vulnerabilities.
Some very high profile web sites have fallen victim to this "IFrame Attack." Below are some links to articles describing the extent of the attack.
A new variant of this phishing message has been seen on campus. While this one does not seem to be as wide spread, please be aware of it. Again, this is not a valid Texas A&M University email, and a response should not be sent.
Here is the message text:
This is not a hoax, as hackers have penetrated to our server. This make us to warn users to change their password, we checked your account and found out that you did not change your password. With this Tamu have decided to manually change the passwords of users, but first have to confirm users. You are therfore require to fill the form below Username: (*******************) Password: (*******************)current password Password: (*******************) your desire new password. Regards Tamu Support Team
12 March 2008
Another new phishing email began being seen today. This, again, is not a valid email, and you should not respond with any personal information. This spam appears to come from the 'TAMU Support Team' and contains the following subject line:
Subject: Confirm Your Email Address
and the following text:
Dear User, We wrote to you on 28th February 2008 advising that you change the password on your account in order to prevent any unauthorised account access following the network intrusion we previously communicated. we have found the vulnerability that caused this issue, and have instigated a system wide security audit to improve and enhance our current security, in order to continue using our services you are require to update you account details below. To complete your account verification, you must reply to this email immediately and enter your account details below. Username: (**************) password: (**************) Failure to do this will immediately render your account deactivated from our database. We apologise for the inconvenience that this will cause you during this period, but trust you understand that our primary concern is for our customers and for the security of their data. our customers are totally secure Tamu Support TeamThis is not an email sent from Texas A&M University. Do not reply with your username and password.
06 March 2008
Email concerning Phishing Attack sent to AM-COMPADMIN mailing list
04 March 2008
We are currently seeing the following email being sent to tamu accounts. This is a phishing spam message, and was not sent by Texas A&M University. Do not respond to this message. Texas A&M University will not ask you to update your account information, or provide any personal or account information, through an email message.
The email contains the following subject line:
Subject: VERIFY YOUR TAMU.EDU EMAIL ACCOUNT NOW
and the following text:
Dear tamu.edu Email Account Owner, This message is from tamu.edu messaging center to all tamu.edu email account own ers. We are currently upgrading our data base and e-mail account center. We are deleting all unused tamu.edu email account to create more space for new accounts . To prevent your account from closing you will have to update it below so that we will know that it's a present used account. CONFIRM YOUR EMAIL IDENTITY BELOW Email Username : .......... ..... EMAIL Password : ................ Date of Birth : ................. Country or Territory : .......... Warning!!! Account owner that refuses to update his or her accountwithin Seven d ays of receiving this warning will lose his or her accountpermanently. Thank you for using tamu.edu Warning Code:VX2G99AAJ Thanks, tamu.edu Team www.tamu.edu
If you have any questions concerning this information, please send mail to security@net.tamu.edu.
New malware on campus
12 February 2008
We're receiving reports of Windows computers trying to infect other computers. It appears the computers are infected with "MS ASN1 Integer Overflow" malware. Please see Microsoft Security Bulletin MS04-007 and http://www.symantec.com/avcenter/attack_sigs/s20421.html for more details.
Microsoft Excel Vulnerability Announced
17 January 2008
A new vulnerability has been discovered in certain versions Microsoft Office Excel, software that processes spreadsheets. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. This vulnerability can be exploited by opening a malicious Excel spreadsheet (.XLS) which was emailed as an attachment, or by visiting a Web site that is hosting a malicious Excel spreadsheet.
http://www.microsoft.com/technet/security/advisory/947563.mspx
04 September 2007
Vulnerability Scanning for Campus Webservers
The Network Security Team will be performing vulnerability scans against all campus webservers which have ports open through the campus firewall. The scans will begin on Tuesday, September 4. Any webserver with ports 80, 443, 8080, 8000, or 8443 open will be scanned. The scans will be coming from 128.194.177.109 or 128.194.177.221. If you have any concerns over this activity, please contact us at security@net.tamu.edu.
19 July 2007
You've received a greeting card from ...
You've received an ecard from ...
As we reported in April, "Storm Worm" (also known as Trojan.Peacomm) is still on campus and infecting Windows computers. This time, it's in the form of "postcards" or notices asserting that your computer is infected.
If you click on the link to view your "postcard", you'll be prompted to install software. If the software is installed, your computer can be controlled remotely, and will likely begin sending spam.
The malware can disable anti-virus software.
Why can't we just block all mail from postcards.com, funnypostcards.com, etc.?
The e-mail is not really from postcards.com. It's pretending to be from there. You can look at the full e-mail headers to see the real source. An example of how one can tell this is shown here.
In addition to sending e-mail, the infected computers tend to send a lot of UDP packets to communicate with other servers that may be controlling the infected hosts.
As we discover infected computers, we notify the admin. We are trying to get these infected computers off the network as soon as possible. If we are unable to locate an owner, or if we receive no response, the computer will be blocked at the firewall or will have the switch port disabled.
As a reminder, please review and update your computer ownership information in NIM. (Click here for more information about NIM.)
References:
http://www.f-secure.com/v-descs/small_dam.shtml
19 July 2007
Vulnerability found in Sun's Java Runtime Environment
A new vulnerability was announced this week concerning Sun's Java Runtime Environment. Sun has already patched the flaws and stated that they are not aware of any current exploits.
Sun has released a new version of Java SE Update 2 that will address all current vulnerabilities. This update can be found at java.com. If you are running an older version of Java, you should un-install that version before installing the updated version.
The vulnerability explanation can be found in the Austrailain CERT Advisory. More information about the patches for these vulnerabilities can be found at SunSolve.
11 April 2007
We're seeing a lot of Windows computers infected with (as Symantec calls it) Trojan.Peacomm (also known as "Storm Worm"; Sophos is calling it W32/Dref-AF) on campus. An infected attachment arrives via e-mail with a sensational subject, such as "Fidel Castro dead" or "World War III started." When the attached program is executed, the computer becomes infected. Anti-virus software becomes disabled. The computer sends e-mail to infect more computers, and typically uses UDP (peer-to-peer) to receive updated instructions.
There are over 50,000 variants of this particular trojan, so anti-virus companies will doubtless have some problems keeping up with all known versions.
Please remember to use caution when clicking on unknown links or attachments.
02 April 2007
Microsoft has issued Security Advisory 935423, Vulnerability in Windows Animated Cursor Handling.
The problem exists because some files, including files other than animated cursors, do not undergo proper format validation before they are processed. As with many Windows vulnerabilities, exploitation of this vulnerability could allow unauthorized remote attackers to take control of your computer system.
The following platforms are vulnerable:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista (unless you're running IE7)
Although a patch isn't available yet, several workarounds have been suggested. From the Microsoft tech bulletin,
Update: February 28, 2007
Unauthorized Access Attempt on University Accounts
Texas A&M University authorities announced today that an attempt has been made to gain unauthorized access to electronic files containing encrypted passwords to some university accounts, but not affecting the financial, payroll or student administrative systems.
Update: February 16, 2007
Recently, we have seen a large number of machines compromised and scanning the NetBios port (TCP 139) as a result of the compromise. The infection appears to be caused by a variant of W32.Spybot.Worm. Hosts which we discover are port scanning are being blocked at the campus firewall to prevent off-campus scanning, and the administrators are contacted.
The removal tool for this worm can be found at: http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99&tabid=3.
This is an older worm, so this is again a good time to ensure that all machines you administer are up to date on both virus protection and patches.
Update: January 25, 2007
It was recently revealed that when updating to patched versions of Sun Java, older, vulnerable versions of the software are not uninstalled. This leaves the machine open to a compromise. Sun has released instructions to remove the Windows Java Runtime Environment at http://java.com/en/download/help/5000010800.xml.
It is recommended that you ensure that the old versions of Java are removed from your system.
Also, a new version of Java is available. This is Java Runtime Environment Version 5.0 Update 10 for Windows. To update to the new version, visit: http://www.java.com/en/download/index.jsp
Update: January 18, 2007
With the first day of classes came many infected computers. From what we've heard, these are still mostly variants of the Lokkest virus
Computers not running Symantec are getting infected. Lokkest also spreads via Instant Messages, SQL, infected e-mail attachments, etc. If you're running McAfee, you'll need to be sure you're running the latest definition file (DAT 4942 as of today) to catch this (netadp) process.
Steps to remove the virus can be found at: http://www.symantec.com/security_response/writeup.jsp?docid=2007-010423-0817-99&tabid=3.
This is also a good time to ensure that all machines you administer are up to date on both virus protection and patches.
Update: January 5, 2007
Many machines on campus were infected today with the Lokkest virus. This is a mass mailing worm infecting Windows hosts. It will also disable anti-virus software.
Steps to remove the virus can be found at: http://www.symantec.com/security_response/writeup.jsp?docid=2007-010423-0817-99&tabid=3.
This is also a good time to ensure that all machines you administer are up to date on both virus protection and patches.
17 August, 2006 - W32.Wargbot
If you didn't patch your Windows machine as described below, it may be infected with Wargbot
09 August, 2006 - Microsoft Patch Tuesday
Microsoft "patch Tuesday" is upon us again, and many folks (e.g., http://isc.sans.org/) are expressing concern about this batch of vulnerabilities, particularly the one patched by MS06-040.
There are some helpful hints regarding patch installation in one of the isc handler's diary articles.
The full list of patches released by Microsoft includes 9 "critical" and 3 "important" patches for IE, Office, Windows, MSN Messenger, JPEG Processing, and for Virtual PC for Mac. A link to Microsoft's latest patch announcement is available here.
24 May 2006 -- Postcards
Please don't open the "postcards" that are going around this week. As you might expect (if you're reading our page to check on it), you'll get infected... If you look closely at the source, you'll see you're being directed to view a file called "postcards.gif.exe". Sample e-mail message:
Hello friend !
You have just received a postcard from someone who cares about you!
This is a part of the message:
"Hi there! It has been a long time since I haven't heared about you!
I've just found out about this service from Sharon, a friend of mine who also told me that..."
If you'd like to see the rest of the message click here (link removed) to receive your animated postcard!
===================
Thank you for using www.yourpostcard.com 's services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !
==================
Update: 28 March 2006
sendmail vulnerability
Summary: Computers running Sendmail 8.13.5 and earlier are vulnerable to a remote exploit, which could lead to exposure, deletion, or modification of programs and data on the affected system, interference with or interception of email delivery, and potentially unauthorized access to other systems in the network. Please contact us if you have questions about whether your computer is at risk. We are conducting a vulnerability scan to identify vulnerable sendmail servers. To gather some information about OS versions, we are also checking some other ports, including ports 21, 22, 23, 25, and 80.
Nyxem.E worm activates on February 3
Aliases: Blackworm, Kamasutra, W32.Blackmal.E@mm, W32/Mywife.d
The Nyxem.E worm is a mass mailing worm that can also spread through file shares. It will attempt to disable security and file sharing software, and destroy files with certain filename extensions. If a machine is infected with this worm, the file overwrites will begin tomorrow and repeat on every third day of each month.
Please ensure that anti-virus software is up to date with the latest definitions. Also, Symantec has designed a Removal Tool to remove infections from this worm.
Further information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html
http://vil.nai.com/vil/content/v_138027.htm
http://www.f-secure.com/v-descs/nyxem_e.shtml
Update -- Win32/Brepibot spreading on TAMU campus
01/31/2006 11:45
Several machines on campus have recently been infected with the W32/Brepibot virus. This is a mass-mailing virus, and one variant was designed to contact IRC servers and provide information about the infected system. The subject and text of the email may vary, depending on the variant, but the attachment with the email will be photo and article.exe.
http://vil.nai.com/vil/content/v_133091.htm
Many college campuses are reporting messages being received with various headers relating to campus rape. These messages contain forged headers, and appear to be from machines infected with the Win32/OutsBot virus. The message asks that you view the attached picture to help identify the 'suspect'. This attachment will then infect the computer.
We have seen evidence in our campus firewall logs that these emails are being sent to campus, but have not yet received reports of anyone being infected. Please be aware of this message, and let us know if you become aware of an infected machine on campus.
Update -- 01/05/2006
Security Bulletin MS06-001 Released
01/05/2006
Microsoft has released Security Bulletin MS06-001. This is in response to the recent vulnerability found in the Windows Meta File (WMF) code in the Windows Operating Systems (see below). This update should be applied as soon as possible. Visit the link above, or visit Windows Update to apply the latest updates.
Microsoft's Security update for WMF Vulnerability
Microsoft Security Advisory (912840)
01/02/2006
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
AFFECTED PLATFORMS:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
Microsoft Windows Millennium Edition (ME)
As most of you are probably already aware, a new vulnerability has been discovered in Windows' graphics rendering engine. Detailed exploit code for this vulnerability has been made publicly available. The vulnerability allows an attacker to execute arbitrary code on a system by means of a specially crafted Windows Metafile (WMF) image hosted on a web site or distributed via e-mail. Microsoft is currently investigating this vulnerability. More information and suggested mitigating actions can be found in the following Microsoft Security Advisory:
http://www.microsoft.com/technet/advisory/912840.mspx
Microsoft suggests that users un-register the Windows Picture and Fax Viewer on Windows XP SP1, Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1. It is important to note that this workaround will not correct the underlying vulnerability. It will, however, help limit exposure to the vulnerability. We are aware that at least one third-party patch is available for this vulnerability. It is our recommendation that users install only official Microsoft patches.
The network security group is in the process of evaluating and installing rules on our IDS and NetSQUID systems to detect crafted WMF files that attempt to exploit this vulnerability.
-Daryl
There has been an increase in attempts (some successful) to deface tamu.edu web pages.
We've learned that when attention is directed to a domain (because of a published compromise), the hacker community tends to focus attention and effort on attacking the domain until something else comes along.
tamu.edu appears to be the object of hacker attention.
Several web pages have been defaced. Most of this activity occurred during the day Monday. In all cases but one complex one (in which the analysis is ongoing), we have identified the off-campus host originating the compromise, and the tamu admin has worked with us to correct the problem.
One other incident occurred because vulnerable phpBB (forum) software allowed a tamu.edu host to be used to initiate paypal phishing e-mail.
Here are some details that may be beneficial to other admins:
Ssl and Mambo content manager vulnerabilities (for which patches exist) have been exploited. One admin thinks one of his users had a password sniffed while using one of the un-encrypted protocols (possibly FTP). Another admin reported two security patches were installed "but not finished".
Affected operating systems include: Solaris, Windows 2000, Linux, and MacOSX.
Networking and Information Security has begun the process of scanning every host on campus--not just those with services open through the firewall--and has already begun working with admins to address vulnerabilities. The goal is to get us into a state where we can scan automatically and have only the latest issues to deal with, but that plan also relies on the cooperation and participation of the admins on campus (or intervention from us, which we would like to avoid).
The owner of any host can visit our self-service web page at https://scan.tamu.edu/ to initiate their own vulnerability scan.
Thanks for your patience and help as we go through this process.
Ellen
Update - Unwanted Pop-ups
11/06/2005
We've noticed a number of sites (off-campus) sending unwanted pop-up messages to campus. These arrive on UDP ports 1028, 1029, and 1030. Previously, senders of unwanted pop-ups talked to UDP port 135 before sending the message to another UDP port (and we blocked UDP 135 at the firewall because of this), but now people have figured out they can try ports 1028-1030 blindly without talking to 135 first. Because other legitimate applications also use these UDP ports, we are not blocking the ports at this time, but we're blocking any IP addresses off campus that we se sending these pop-up messages.
Example messages are similar to, "A problem has been detected in your windows registry. A full scan is recommended. Visit http://some.web.site/ to fix this problem."
If you notice unwanted pop-up messages on any of your computers, please drop us a line to let us know.
Update - Campus Firewall Change Complete
10/20/2005
All protocols that pass passwords in plain text through the campus firewall have now been blocked. These protocols include Telnet, FTP, POP and IMAP. More information on this change can be found here. If you are experiencing a problem that you feel is related to this change, please send mail to firewall@tamu.edu.
Update -- Microsoft Patch Tuesday
10/11/2005
Microsoft users, please regard the Microsoft Security Bulletin for October, 2005. One of the three critical updates is for Internet Explorer. Another "important" update to Windows Shell Code is necessary to prevent remote users from being able to "take complete control of the affected system." As always, please patch your computers to prevent the predicted upcoming spread of worms and viruses on campus.
Update -- AIM viruses
10/05/2005
Please beware that viruses now spread through AIM and other messaging services. Don't be tempted to click on links promising "pictures at the beach" or other "OMG Look!" links you might find in profiles. Many of the infected files have a file extension of ".pif". We will begin updating our NetSQUID boxes to look for connections to known bad links and block infected users if possible.
Update -- attempted logins via ssh
09/24/2005
We continue to see and block off-campus hosts which are trying to login via ssh.
Update -- Web Server Defacements
09/13/2005
There is currently an increased hacking activity directed at Apache web servers running on Linux hosts. This activity has mainly resulted in defaced web sites. One web site on the TAMU campus has been defaced as a result of this. Make sure your Operating Systems and Apache web servers are fully patched and up to date.
Update -- 09/05/2005
Thank you all for helping to get your machines patched as the semester begins. I think it really helped contribute to a smooth start. We've received two reports so far today about "electronic postcards". "You have received a virtual greeting from a friend!" When you go visit the postcard site, you're asked to download an .exe file. Beware, it's probably something that will infect your computer.
Update - 08/18/2005
Adobe Acrobat/Reader vulnerability:
There is a possibility that a specially crafted .pdf file can cause Acrobat/Reader to crash and may permit someone to execute arbitrary commands on your computer. Announcement
Update -- 08/18/2005
Plug and Play patch (MS05-039) for 2000, Server 2003, XP (various patch levels). The vulnerability could be exploited by users with accounts on your computer, locally or remotely, depending on your current OS and patch level. The exploit/service involves the use of TCP ports 139 and 445, which are not opened by default on the campus firewall.
Current Exploits of this vulnerability:Update - 08/15/2005
- W32.Esbot.A
- W32.Zotob.E
Removal tools can also be found at Symantec's Site
Update - 08/12/2005
Ready for Fall semester?
There are several new vulnerabilities and exploits out. Please patch your computers if you haven't already done so!
IE patch (MS05-038) for Microsoft Internet Explorer 5.01 SP4, 5.5 SP2, 6, and 6 SP1.
VERITAS [Symantec] Backup Exec Remote agent for Windows Servers. This product uses the Network Data Management Protocol (NDMP), which listens on TCP port 10000. This port is not open through the campus firewall by default, but if you're running this software, be aware that exploits have been seen on the Internet. We have noticed an increase in scanning for port 10000.
Update - 08/08/2005
Change in TAMU Campus Firewall Configuration
Beginning September 1, 2005, services which use insecure protocols will no longer be allowed to pass through the campus firewall. These services include telnet, ftp, imap and pop. Please see the announcement for more information and updates to this change.
Update - 07/12/2005
We continue to block hosts trying to guess passwords over ssh. Also, we are blocking hosts which are performing SQL and port 445 scanning. Notices are sent to administrators which are affected.
Update - 06/30/2005
"mytob" continues to be the most popular infection on PCs. We're not seeing any other wide-spread or significant infection/compromises. Please see the Past TAMU Security Announcements for more information.
Update -- 05/18/2005
New phpBB vulnerability discovered
A vulnerability caused due to an unspecified error in the URL and BB code handling functions. To resolve this issue, update to version 2.0.15 at http://www.phpbb.com/downloads.php
More Information:
http://secunia.com/advisories/15298/
Update -- 05/02/2005
New Sober Worm Variant Released
A new variant of the Sober worm is currently spreading on campus. This is the W32/Sober.p@MM worm. This is a mass mailing worm which spoofs the 'From:' line. The subject line will be:
Subject: Your Password
The body of the message will state:
Account and Password Information at attached!!
and contain an AntiVirus notice at the bottom of the message. The attachment will be a .zip file.
A Removal tool is available at http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html.
For further information, please see:
http://www.symantec.com/avcenter/venc/data/w32.sober.p@mm.html
http://vil.nai.com/vil/content/v_133409.htm
Update - 05/16/2005 -- Sober.Q
A version of the Sober worm is spreading German spam. More information can be found at:
http://vil.nai.com/vil/content/v_133684.htm
Update -- 03/23/2005
PLATFORM: Windows, Linux, Apache, IIS, PHP
NOTICE: A host on campus was compromised by a several-months-old vulnerability in phpbb (a free web server bulletin board). This package has had multiple vulnerabilities, and it has been reported that a tool exists to assist locating and compromising hosts running vulnerable phpbb versions.
phpbb uses PHP, but is an additional piece of code. If you're using phpbb package, please be sure you're running version 2.0.13. The web page for phpbb is http://www.phpbb.com/.
If you have a host on campus with port 80 open, we are re-scanning for vulnerabilities. You can check the firewall configuration of hosts that you own in NIM at https://firewall.tamu.edu/ . Please e-mail firewall@tamu.edu if you have firewall questions.
REFERENCE: http://www.kb.cert.org/vuls/id/497400
Update -- 04/02/2005
Many of you have noticed unauthorized login attempts from off campus via ssh. We have started blocking these hosts at our firewall. So far today we have blocked a "rr.com" host, a "savvis.net" host, and a host from Korea. Accounts such as "root", "admin", "guest", "www", and "test" are targeted, as well as a dictionary of other names such as "patrick", "cliff", and so on. The attempts usually try a list of common passwords and try to gain access to your system. If you notice any of these attempts in your logs, you can mail us, but we'll be watching for them using some of our network software tools.
A new variant of the Beagle (Bagle) virus is spreading currently on campus. This is W32.Beagle.AV@mm (Symantec) or W32/Bagle.bb@mm (McAfee). This is a mass mailing worm which again spoofs the 'From:' line. The subject line will be:
http://www.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html
http://vil.nai.com/vil/content/v_129509.htm
A new variant of the Beagle (Bagle) virus is spreading currently on campus. This is W32.Beagle.AR@mm (Symantec) or W32/Bagle.az@mm (McAfee). This is a mass mailing worm which again spoofs the 'From:' line. The subject line will be:
For more information:
http: //www.symantec.com/avcenter/venc/data/w32.beagle.ar@mm.html
http://vil.nai.com/vil/con tent/v_128582.htm
Microsoft has released a patch for a major security flaw in its handling of JPEG graphics formats. A buffer overflow vulnerability in the Microsoft Windows GDI+JPEG parsing component could allow a remote attacker to execute arbitrary code on a vulnerable system by introducing a specially crafted JPEG file. This file can be introduced to a system through a malicious web page, HTML email, or an email attachment.
The patch to apply is described in Microsoft Security Bulletin MS04-028
For more information:
http://www.kb.cert.org/vuls/id/297462
http://news.zdnet.com/2100-1009_22-5366314.html
http://www.symantec.com/avcenter/Content/11173.html
PuTTY vulnerability
For those of you who use PuTTy as an SSH client:
http://www.chiark.greenend.org.uk/~sgtatham/putty/
2004-08-03 SECURITY HOLE, fixed in PuTTY 0.55
"PuTTY 0.55, released today, fixes a serious security hole which may allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. We recommend everybody upgrade to 0.55 as soon as possible."
Variant of Beagle Spreading on Campus - W32/Bagle.ai@MM
Symantec is referring to this variant as W32.Beagle.AG@mm
A variant of the Beagle virus is currently spreading on campus. It is not being detected by most virus detection software right now, and looks like it may be a new variant called Beagle.AI This is a mass mailing worm will spoof the From: address and will have the following subject line:
Re:
It also has been reported to possibly open a backdoor on TCP port 1080 and will shut down virus protection processes on an infected machine.
http://vil.nai.com/vil/content/v_126798.htm
http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html
Removal Tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
Variant of MyDoom.
We've received a lot of questions about this one today. The following message with attached .zip file are not from us:
Dear user (valid-username)@tamu.edu, Your account has been used to send a huge amount of spam messages during this week. Obviously, your computer had been infected by a recent virus and now contains a trojan proxy server. Please follow the instruction in the attached file in order to keep your computer safe. Best wishes, The tamu.edu support team.This is a variant of MyDoom. For more information on this mass-mailer, please see the following:
Microsoft Security Bulletins
Microsoft has released a series of Security Bulletins. Several of these have a risk rating of Critical. The bulletins are MS04-018 - MS04-024. It is recommended that all affected Microsoft machines be patched as soon as possible. For a full listing of these patches, and more information, see:
http://www.microsoft.com/technet/current.aspx
New Virus -- W32.Atak@mm
The atak worm is a mass-mailing worm that spreads by sending itself to email addresses gathered from an infected machine. The email will contain the following characteristics:
Subject:
Message:
Authorized Researcher Only.
Attachment:
A .zip file that includes a copy of the worm
http://www.symantec.com/avcenter/venc/data/w32.atak@mm.html
http://vil.nai.com/vil/content/v_126679.htm
Update - 06/25/2004
IIS 5 Web Server Compromises
Activity is currently spreading that affects compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems using Internet Explorer that visit these sites. JavaScript is appended to the bottom of web pages that may contain malicious code that will affect an end user system. The web sites do not appear to be compromised or defaced. The HTML source code must be viewed to find evidence of the attack.
Many anti-virus programs cannot detect this code. If it is detected, it will detect it as 'JS.Scob.Trojan'.
At this time there is no known patch. However, users can disable JavaScript to avoid the problem. IIS 5 administrators should check their web sites for signs of added JavaScript code.
http://www.us-cert.gov/current/current_activity.html#iis5
http://zdnet.com.com/2100-1105_2-5247187.html?tag=zdfd.newsfeed
http://isc.sans.org/diary.php?isc=d9606e39e451c3e609bffa96e6057e53
http://isc.sans.org/diary.php?date=2004-06-24
http://www.microsoft.com/incident/download_ject.mspx
http://www.f-secure.com/v-descs/scob.shtml
The Sasser worm attempts to exploit the LSASS vulnerability described in Microsof t Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. If you are seeing lots of connections to ports 445 (and possibly 5554 and 9996), you may be seeing traffic from an infected host. For more information on detecting and removing the worm from Windows computers, see
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html. http://vil.nai.com/vil/con tent/v_125008.htm
Prevention: Patch systems and/or disable IIS. Report infected Texas A&M hosts to us by mailing logs and time zone information to security@net.tamu.edu.
Update -- 04/27/2004
Multiple Virus on Campus
The Phatbot/Agobot worm is currently spreading across campus. It scans for NETBIOS shares and exploits common names/passwords for access. Propogation is also achieved through unpatched Windows boxes with the WebDAV, DCOM and Windows Workstation service vulnerabilities.
There are currently many variants of several different viruses spreading on campus right now. These viruses include Netsky (C-Z), MyDoom (A-G), and Beagle (A-W). More information and patches the the variants we are seeing the most can be found on the viruses page.
If you feel you may be infected, and are not sure how to check your machine, a good tool is Stinger from McAfee. This link will explain the tool and also show the viruses it searches for and removes.
Update -- 04/26/2004
IIS vulnerability being exploited
There is an attack under way on campus against Microsoft Windows systems, particularly those running SSL / https services. System owners should read and act on MS04-011 immediately: http://www.microsoft.com/technet/bulletin/MS04-011.mspx Updated status will be posted on security.tamu.edu as/when new information is available.
03/19/2004
"Witty Worm"
A new worm has been released to exploit a vulnerability found in ISS' BlackICE products. Details about the vulnerability can be found here. The worm uses a source port of UDP 4000 in order to spread. To try to prevent the worm from spreading, we have blocked UDP port 4000 in and out of the campus firewall. If/when possible, we will add signatures for the worm to our dorm boxes to quarantine infected hosts.
Update -- 02/17/2004
New Virus -- W32/Bagle.B (Norton) or W32.Alua@mm (Symantec)
A new mass mailing email virus is spreading across campus. This virus will also open a backdoor on TCP port 8866. The email will have the following characteristics:
From: (address spoofed)
Subject: ID (random string)... thanks
Body
Yours ID (random string)
--
Thank
The attachement will be .exe.
Further Information:
http://vil.nai.com/vil/content/v_101030.htm
http://www.symantec.com/avcenter/venc/data/w32.alua@mm.html
Update -- 02/11/2004
Microsoft Warns of Security Flaw
Microsoft has released Security Bulletin MS04-007 documenting a security flaw in it's implementation of the networking protocol, Abstract Syntax Notation One (ASN.1). This code is used by many Windows applications, and if left unpatched, can allow a remote user to take control of the computer. This affects every machine running Windows NT, Windows 2000, Windows XP or Windows Server 2003.
The patch to fix this vulnerability can be found in Microsoft's Security Bulletin MS04-007. It is also a good idea at this time to check for other available updates at Microsoft Windows Update.
Further Information:
http://www.us-cert.gov/cas/techalerts/TA04-041A.html
http://www.securityfocus.com/news/8008
Update -- 01/26/2004