CIS Network Security Group

CIS Network
Security Team

Past Announcements Posted to security.tamu.edu:

June 28, 2008
Another New Phishing Scam on Campus

A new phishing email began circulating on campus today. As always, do not respond to this mail, and never provide any personal information to untrusted web sites or in response to an email message.
Here is the text of the current phishing attempt:
Subj: MAINTENANCE UPGRADE




Dear Email User,

Prior to the unwanted spam in our TAMU webmail service, we have decided to
perform maintainance on our site. Our maintainance is based on free
Anti-spamming protection for all TAMU users accounts, which is number 10
of our TAMU email/exchange terms and condition. You are to send in your
information below in this order:
 ******************

FULL NAME:
USER ID:
PASSWORD:
ALTERNATE EMAIL:
DATE OF BIRTH:
SECRET QUESTION:
SECRET ANSWER:

 ******************
This process will help us to fight against spam mails. Failure to submit
your TAMU email/exchange Account Details, will render your
email address in-active from our database.

You can also confirm your email address by logging into your account at:
https://email.tamu.edu/

NOTE: You will be notifield in your email  password reset message
immediately after undergoing this process for security reasons.

TAMU Technical System Team
June 6, 2008
Another New Phishing Scam on Campus

A new phishing email began circulating on campus today. As always, do not respond to this mail, and never provide any personal information to untrusted web sites or in response to an email message.
Here is the text of the current phishing attempt:
This is a courtesy reminder that your EPPICard needs to be verified. In
order to receive uninterrupted service, please verify your card
immediately.

To verify your card, please click the link below and follow the provided
steps:

http://www.eppicardr.com/verify/#

Regards,
EPPIcard
May 27, 2008
More Targeted Phishing

A&M has been targeted by phishers again. The text of the e-mails are here and here. Additionally, there is a Paypal phishing e-mail making the rounds. It seems to be HTML-only, but the text of the message is here.

May 22, 2008
Another New Phishing Scam on Campus

A new phishing email began circulating on campus today. As always, do not respond to this mail, and never provide any personal information to untrusted web sites or in response to an email message.
Here is the text of the current phishing attempt:
New Login Procedure!

On May 20, EPPICard changed the login procedure required to access your
account.

Your security is of utmost importance. To ensure that logging into your
account is more secure, EPPICard has added the Challenge Questions system.
Challenge Questions is an additional security piece in addition to the
card currently being used. You will have a greater degree of confidence
that you are visiting our official website.

Enrollment Process:

Simply click the link below, and you will be directed to a EPPICard
Authentication page where you will have a couple of steps to complete.

http://www.eppicardl.com/eppicard/?security

You only have to do it once. Changes will be active in 24 hours. It's that
easy!

All Cardholders are required to activate this feature within 48 hours in
order to continue using their cards.


Regards,
EPPICard
May 21, 2008
Secunia PSI Windows Security Tool

A useful security tool has been released by Secunia for keeping track of updates for software running on Windows. The tool, Secunia Personal Software Inspector, examines a computer for software in its database, determines the software version, and alerts you if there are updates. This could be an invaluable tool for ensuring that software is up-to-date.
Secunia PSI is licensed freely for private use. Secunia NSI (the business version) does have a cost. More information is available at http://psi.secunia.com/.

May 15, 2008
SSH Attacks on the Rise

There has been an increase in brute force SSH attacks on machines on campus. This is also being reported by SANS in their Handler's Diary. If you have port 22 open through the campus firewall for any of your machines, this would be a good time to review the security settings on the server.

07 May 2008
New phishing scam on campus

If you receive e-mail asking you to "CONFIRM YOUR TAMU.EDU EMAIL ACCOUNT IMMEDIATELY!!!", please delete it. As a reminder, we will never ask you to e-mail us your password.

Update 6:00pm
Another phish has been reported, "*****Help Maintainance*****".

As a reminder, please never send sensitive information over e-mail. Thank you for reporting these scams to us.

Check your webservers

28 March 2008
There is a massive web server compromise effort that has been building for about two weeks now. Please use our self-service scanner and check your web server for vulnerabilities.

Some very high profile web sites have fallen victim to this "IFrame Attack." Below are some links to articles describing the extent of the attack.

computerworld.com
ddanchev.blogspot.com
So far, we're not aware of any compromised servers on campus. Please contact us if you need assistance checking your web server, or if you think you might have been compromised.

TAMU Account Phishing Spam being seen on Campus

18 March 2008
A new variant of this phishing message has been seen on campus. While this one does not seem to be as wide spread, please be aware of it. Again, this is not a valid Texas A&M University email, and a response should not be sent.
Here is the message text:
This is not a hoax, as hackers have penetrated to our server. This make
us to warn users to change their password, we checked your account and
found out that you did not change your password. With this Tamu have
decided to manually change the passwords of users, but first have to
confirm users.

You are therfore require to fill the form below

Username: (*******************)

Password: (*******************)current password

Password: (*******************) your desire new password.

   Regards

Tamu Support Team
12 March 2008
Another new phishing email began being seen today. This, again, is not a valid email, and you should not respond with any personal information. This spam appears to come from the 'TAMU Support Team' and contains the following subject line:
Subject: Confirm Your Email Address
and the following text:
Dear User,

 We wrote to you on 28th February 2008 advising that you change the
 password on your account in order to prevent any unauthorised
 account access following the network intrusion we previously
 communicated.

 we have found the vulnerability that caused this issue, and have
 instigated a system wide security audit to improve and enhance our
 current security, in order to continue using our services you are
 require
 to update you account details below.

 To complete your account verification, you must reply to this email
 immediately and enter your account details below.

 Username: (**************)
 password: (**************)

 Failure to do this will immediately render your account
 deactivated from our database.

 We apologise for the inconvenience that this will cause you during
 this
 period, but trust you understand that our primary concern is for our
 customers and for the security of their data.
 our customers are totally secure

 Tamu Support Team
This is not an email sent from Texas A&M University. Do not reply with your username and password.

06 March 2008
Email concerning Phishing Attack sent to AM-COMPADMIN mailing list
04 March 2008
We are currently seeing the following email being sent to tamu accounts. This is a phishing spam message, and was not sent by Texas A&M University. Do not respond to this message. Texas A&M University will not ask you to update your account information, or provide any personal or account information, through an email message.
The email contains the following subject line:
Subject: VERIFY YOUR TAMU.EDU EMAIL ACCOUNT NOW
and the following text:
Dear tamu.edu Email Account Owner,

This message is from tamu.edu messaging center to all tamu.edu email account own
ers. We are currently upgrading our data base and e-mail account center. We are
deleting all unused tamu.edu email account to create more space for new accounts
.

To prevent your account from closing you will have to update it below so that we
 will know that it's a present used account.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username : .......... .....
EMAIL Password : ................
Date of Birth : .................
Country or Territory : ..........

Warning!!! Account owner that refuses to update his or her accountwithin Seven d
ays of receiving this warning will lose his or her accountpermanently.

Thank you for using tamu.edu
Warning Code:VX2G99AAJ

Thanks,
tamu.edu Team
www.tamu.edu
If you have any questions concerning this information, please send mail to security@net.tamu.edu.

New malware on campus
12 February 2008

We're receiving reports of Windows computers trying to infect other computers. It appears the computers are infected with "MS ASN1 Integer Overflow" malware. Please see Microsoft Security Bulletin MS04-007 and http://www.symantec.com/avcenter/attack_sigs/s20421.html for more details.

Microsoft Excel Vulnerability Announced
17 January 2008

A new vulnerability has been discovered in certain versions Microsoft Office Excel, software that processes spreadsheets. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. This vulnerability can be exploited by opening a malicious Excel spreadsheet (.XLS) which was emailed as an attachment, or by visiting a Web site that is hosting a malicious Excel spreadsheet.
http://www.microsoft.com/technet/security/advisory/947563.mspx

Vulnerability Scanning for Campus Webservers
04 September 2007
The CIS Network Security Team will be performing vulnerability scans against all campus webservers which have ports open through the campus firewall. The scans will begin on Tuesday, September 4. Any webserver with ports 80, 443, 8080, 8000, or 8443 open will be scanned. The scans will be coming from 128.194.177.109 or 128.194.177.221. If you have any concerns over this activity, please contact us at security@net.tamu.edu.

19 July 2007

You've received a greeting card from ...
You've received an ecard from ...

As we reported in April, "Storm Worm" (also known as Trojan.Peacomm) is still on campus and infecting Windows computers. This time, it's in the form of "postcards" or notices asserting that your computer is infected.

If you click on the link to view your "postcard", you'll be prompted to install software. If the software is installed, your computer can be controlled remotely, and will likely begin sending spam.

The malware can disable anti-virus software.

Why can't we just block all mail from postcards.com, funnypostcards.com, etc.?

The e-mail is not really from postcards.com. It's pretending to be from there. You can look at the full e-mail headers to see the real source. An example of how one can tell this is shown here.

In addition to sending e-mail, the infected computers tend to send a lot of UDP packets to communicate with other servers that may be controlling the infected hosts.

As we discover infected computers, we notify the admin. We are trying to get these infected computers off the network as soon as possible. If we are unable to locate an owner, or if we receive no response, the computer will be blocked at the firewall or will have the switch port disabled.

As a reminder, please review and update your computer ownership information in NIM. (Click here for more information about NIM.)

References:
http://www.f-secure.com/v-descs/small_dam.shtml

19 July 2007

Vulnerability found in Sun's Java Runtime Environment
A new vulnerability was announced this week concerning Sun's Java Runtime Environment. Sun has already patched the flaws and stated that they are not aware of any current exploits.
Sun has released a new version of Java SE Update 2 that will address all current vulnerabilities. This update can be found at java.com. If you are running an older version of Java, you should un-install that version before installing the updated version.
The vulnerability explanation can be found in the Austrailain CERT Advisory. More information about the patches for these vulnerabilities can be found at SunSolve.

11 April 2007

We're seeing a lot of Windows computers infected with (as Symantec calls it) Trojan.Peacomm (also known as "Storm Worm"; Sophos is calling it W32/Dref-AF) on campus. An infected attachment arrives via e-mail with a sensational subject, such as "Fidel Castro dead" or "World War III started." When the attached program is executed, the computer becomes infected. Anti-virus software becomes disabled. The computer sends e-mail to infect more computers, and typically uses UDP (peer-to-peer) to receive updated instructions.

There are over 50,000 variants of this particular trojan, so anti-virus companies will doubtless have some problems keeping up with all known versions.

Please remember to use caution when clicking on unknown links or attachments.

02 April 2007

Microsoft has issued Security Advisory 935423, Vulnerability in Windows Animated Cursor Handling.

The problem exists because some files, including files other than animated cursors, do not undergo proper format validation before they are processed. As with many Windows vulnerabilities, exploitation of this vulnerability could allow unauthorized remote attackers to take control of your computer system.

The following platforms are vulnerable:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista (unless you're running IE7)

Although a patch isn't available yet, several workarounds have been suggested. From the Microsoft tech bulletin,

Block access to malformed ANI files at network permieters

Configure Outlook to display messages in plain text

Disable email preview pane

Configure Windows Explorer to use Windows Classic Folders

Do not follow unsolicited links

References:

CERT: http://www.kb.cert.org/vuls/id/191609,
McAfee: http://www.avertlabs.com/research/blog/?p=230

Update: February 28, 2007

Unauthorized Access Attempt on University Accounts
Texas A&M University authorities announced today that an attempt has been made to gain unauthorized access to electronic files containing encrypted passwords to some university accounts, but not affecting the financial, payroll or student administrative systems.

Update: February 16, 2007

Recently, we have seen a large number of machines compromised and scanning the NetBios port (TCP 139) as a result of the compromise. The infection appears to be caused by a variant of W32.Spybot.Worm. Hosts which we discover are port scanning are being blocked at the campus firewall to prevent off-campus scanning, and the administrators are contacted.
The removal tool for this worm can be found at: http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99&tabid=3.
This is an older worm, so this is again a good time to ensure that all machines you administer are up to date on both virus protection and patches.

Update: January 25, 2007
It was recently revealed that when updating to patched versions of Sun Java, older, vulnerable versions of the software are not uninstalled. This leaves the machine open to a compromise. Sun has released instructions to remove the Windows Java Runtime Environment at http://java.com/en/download/help/5000010800.xml.
It is recommended that you ensure that the old versions of Java are removed from your system.
Also, a new version of Java is available. This is Java Runtime Environment Version 5.0 Update 10 for Windows. To update to the new version, visit: http://www.java.com/en/download/index.jsp

Update: January 18, 2007
With the first day of classes came many infected computers. From what we've heard, these are still mostly variants of the Lokkest virus

Computers not running Symantec are getting infected. Lokkest also spreads via Instant Messages, SQL, infected e-mail attachments, etc. If you're running McAfee, you'll need to be sure you're running the latest definition file (DAT 4942 as of today) to catch this (netadp) process.

Steps to remove the virus can be found at: http://www.symantec.com/security_response/writeup.jsp?docid=2007-010423-0817-99&tabid=3.
This is also a good time to ensure that all machines you administer are up to date on both virus protection and patches.

Update: January 5, 2007
Many machines on campus were infected today with the Lokkest virus. This is a mass mailing worm infecting Windows hosts. It will also disable anti-virus software.
Steps to remove the virus can be found at: http://www.symantec.com/security_response/writeup.jsp?docid=2007-010423-0817-99&tabid=3.
This is also a good time to ensure that all machines you administer are up to date on both virus protection and patches.

17 August, 2006 - W32.Wargbot
If you didn't patch your Windows machine as described below, it may be infected with Wargbot

09 August, 2006 - Microsoft Patch Tuesday
Microsoft "patch Tuesday" is upon us again, and many folks (e.g., http://isc.sans.org/) are expressing concern about this batch of vulnerabilities, particularly the one patched by MS06-040.

There are some helpful hints regarding patch installation in one of the isc handler's diary articles.

The full list of patches released by Microsoft includes 9 "critical" and 3 "important" patches for IE, Office, Windows, MSN Messenger, JPEG Processing, and for Virtual PC for Mac. A link to Microsoft's latest patch announcement is available here.

24 May 2006 -- Postcards
Please don't open the "postcards" that are going around this week. As you might expect (if you're reading our page to check on it), you'll get infected... If you look closely at the source, you'll see you're being directed to view a file called "postcards.gif.exe". Sample e-mail message:

Hello friend !
You have just received a postcard from someone who cares about you!

This is a part of the message:
"Hi there! It has been a long time since I haven't heared about you!
I've just found out about this service from Sharon, a friend of mine who also told me that..."
If you'd like to see the rest of the message click here (link removed) to receive your animated postcard!

===================
Thank you for using www.yourpostcard.com 's services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !
==================

Update: 28 March 2006

sendmail vulnerability

Summary: Computers running Sendmail 8.13.5 and earlier are vulnerable to a remote exploit, which could lead to exposure, deletion, or modification of programs and data on the affected system, interference with or interception of email delivery, and potentially unauthorized access to other systems in the network. Please contact us if you have questions about whether your computer is at risk. We are conducting a vulnerability scan to identify vulnerable sendmail servers. To gather some information about OS versions, we are also checking some other ports, including ports 21, 22, 23, 25, and 80.

Nyxem.E worm activates on February 3
Aliases: Blackworm, Kamasutra, W32.Blackmal.E@mm, W32/Mywife.d
The Nyxem.E worm is a mass mailing worm that can also spread through file shares. It will attempt to disable security and file sharing software, and destroy files with certain filename extensions. If a machine is infected with this worm, the file overwrites will begin tomorrow and repeat on every third day of each month.
Please ensure that anti-virus software is up to date with the latest definitions. Also, Symantec has designed a Removal Tool to remove infections from this worm.
Further information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html
http://vil.nai.com/vil/content/v_138027.htm
http://www.f-secure.com/v-descs/nyxem_e.shtml

Update -- Win32/Brepibot spreading on TAMU campus
01/31/2006 11:45
Several machines on campus have recently been infected with the W32/Brepibot virus. This is a mass-mailing virus, and one variant was designed to contact IRC servers and provide information about the infected system. The subject and text of the email may vary, depending on the variant, but the attachment with the email will be photo and article.exe.
http://vil.nai.com/vil/content/v_133091.htm

Update -- Win32/OutsBot dected on many college campuses
01/27/2007 14:30
Many college campuses are reporting messages being received with various headers relating to campus rape. These messages contain forged headers, and appear to be from machines infected with the Win32/OutsBot virus. The message asks that you view the attached picture to help identify the 'suspect'. This attachment will then infect the computer.
We have seen evidence in our campus firewall logs that these emails are being sent to campus, but have not yet received reports of anyone being infected. Please be aware of this message, and let us know if you become aware of an infected machine on campus.
Update -- 01/05/2006
Security Bulletin MS06-001 Released
01/05/2006
Microsoft has released Security Bulletin MS06-001. This is in response to the recent vulnerability found in the Windows Meta File (WMF) code in the Windows Operating Systems (see below). This update should be applied as soon as possible. Visit the link above, or visit Windows Update to apply the latest updates.
Microsoft's Security update for WMF Vulnerability
Microsoft Security Advisory (912840)
01/02/2006
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
AFFECTED PLATFORMS:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
Microsoft Windows Millennium Edition (ME)
As most of you are probably already aware, a new vulnerability has been discovered in Windows' graphics rendering engine. Detailed exploit code for this vulnerability has been made publicly available. The vulnerability allows an attacker to execute arbitrary code on a system by means of a specially crafted Windows Metafile (WMF) image hosted on a web site or distributed via e-mail. Microsoft is currently investigating this vulnerability. More information and suggested mitigating actions can be found in the following Microsoft Security Advisory:
http://www.microsoft.com/technet/security/advisory/912840.mspx

Microsoft suggests that users un-register the Windows Picture and Fax Viewer on Windows XP SP1, Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1. It is important to note that this workaround will not correct the underlying vulnerability. It will, however, help limit exposure to the vulnerability. We are aware that at least one third-party patch is available for this vulnerability. It is our recommendation that users install only official Microsoft patches.
The network security group is in the process of evaluating and installing rules on our IDS and NetSQUID systems to detect crafted WMF files that attempt to exploit this vulnerability.
-Daryl

11/22/2005
There has been an increase in attempts (some successful) to deface tamu.edu web pages.
We've learned that when attention is directed to a domain (because of a published compromise), the hacker community tends to focus attention and effort on attacking the domain until something else comes along.
tamu.edu appears to be the object of hacker attention.
Several web pages have been defaced. Most of this activity occurred during the day Monday. In all cases but one complex one (in which the analysis is ongoing), we have identified the off-campus host originating the compromise, and the tamu admin has worked with us to correct the problem.
One other incident occurred because vulnerable phpBB (forum) software allowed a tamu.edu host to be used to initiate paypal phishing e-mail.
Here are some details that may be beneficial to other admins:
Ssl and Mambo content manager vulnerabilities (for which patches exist) have been exploited. One admin thinks one of his users had a password sniffed while using one of the un-encrypted protocols (possibly FTP). Another admin reported two security patches were installed "but not finished".
Affected operating systems include: Solaris, Windows 2000, Linux, and MacOSX.
The Network Group has begun the process of scanning every host on campus--not just those with services open through the firewall--and has already begun working with admins to address vulnerabilities. The goal is to get us into a state where we can scan automatically and have only the latest issues to deal with, but that plan also relies on the cooperation and participation of the admins on campus (or intervention from us, which we would like to avoid).
The owner of any host can visit our self-service web page at https://scan.tamu.edu/ to initiate their own vulnerability scan.
Thanks for your patience and help as we go through this process.
Ellen

Update - Unwanted Pop-ups
11/06/2005
We've noticed a number of sites (off-campus) sending unwanted pop-up messages to campus. These arrive on UDP ports 1028, 1029, and 1030. Previously, senders of unwanted pop-ups talked to UDP port 135 before sending the message to another UDP port (and we blocked UDP 135 at the firewall because of this), but now people have figured out they can try ports 1028-1030 blindly without talking to 135 first. Because other legitimate applications also use these UDP ports, we are not blocking the ports at this time, but we're blocking any IP addresses off campus that we se sending these pop-up messages.
Example messages are similar to, "A problem has been detected in your windows registry. A full scan is recommended. Visit http://some.web.site/ to fix this problem."
If you notice unwanted pop-up messages on any of your computers, please drop us a line to let us know.
Update - Campus Firewall Change Complete
10/20/2005
All protocols that pass passwords in plain text through the campus firewall have now been blocked. These protocols include Telnet, FTP, POP and IMAP. More information on this change can be found here. If you are experiencing a problem that you feel is related to this change, please send mail to firewall@tamu.edu.
Update -- Microsoft Patch Tuesday
10/11/2005
Microsoft users, please regard the Microsoft Security Bulletin for October, 2005. One of the three critical updates is for Internet Explorer. Another "important" update to Windows Shell Code is necessary to prevent remote users from being able to "take complete control of the affected system." As always, please patch your computers to prevent the predicted upcoming spread of worms and viruses on campus.
Update -- AIM viruses
10/05/2005
Please beware that viruses now spread through AIM and other messaging services. Don't be tempted to click on links promising "pictures at the beach" or other "OMG Look!" links you might find in profiles. Many of the infected files have a file extension of ".pif". We will begin updating our NetSQUID boxes to look for connections to known bad links and block infected users if possible.
Update -- attempted logins via ssh
09/24/2005
We continue to see and block off-campus hosts which are trying to login via ssh.
Update -- Web Server Defacements
09/13/2005
There is currently an increased hacking activity directed at Apache web servers running on Linux hosts. This activity has mainly resulted in defaced web sites. One web site on the TAMU campus has been defaced as a result of this. Make sure your Operating Systems and Apache web servers are fully patched and up to date.
Update -- 09/05/2005
Thank you all for helping to get your machines patched as the semester begins. I think it really helped contribute to a smooth start. We've received two reports so far today about "electronic postcards". "You have received a virtual greeting from a friend!" When you go visit the postcard site, you're asked to download an .exe file. Beware, it's probably something that will infect your computer.

Update - 08/18/2005
Adobe Acrobat/Reader vulnerability:
There is a possibility that a specially crafted .pdf file can cause Acrobat/Reader to crash and may permit someone to execute arbitrary commands on your computer. Announcement

Update -- 08/18/2005
Plug and Play patch (MS05-039) for 2000, Server 2003, XP (various patch levels). The vulnerability could be exploited by users with accounts on your computer, locally or remotely, depending on your current OS and patch level. The exploit/service involves the use of TCP ports 139 and 445, which are not opened by default on the campus firewall.

Current Exploits of this vulnerability:

W32.Esbot.A
W32.Zotob.E
Removal tools can also be found at Symantec's Site

Update - 08/15/2005
Note on Zotob worm:
Reports from people off campus are that the zotob worm (to exploit MS05-039, see below) can cause unpatched Win2K machines to reboot..

Update - 08/12/2005
Ready for Fall semester?
There are several new vulnerabilities and exploits out. Please patch your computers if you haven't already done so!

IE patch (MS05-038) for Microsoft Internet Explorer 5.01 SP4, 5.5 SP2, 6, and 6 SP1.

VERITAS [Symantec] Backup Exec Remote agent for Windows Servers. This product uses the Network Data Management Protocol (NDMP), which listens on TCP port 10000. This port is not open through the campus firewall by default, but if you're running this software, be aware that exploits have been seen on the Internet. We have noticed an increase in scanning for port 10000.

Update - 08/08/2005
Change in TAMU Campus Firewall Configuration
Beginning September 1, 2005, services which use insecure protocols will no longer be allowed to pass through the campus firewall. These services include telnet, ftp, imap and pop. Please see the announcement for more information and updates to this change.
Update - 07/12/2005
We continue to block hosts trying to guess passwords over ssh. Also, we are blocking hosts which are performing SQL and port 445 scanning. Notices are sent to administrators which are affected.
Update - 06/30/2005
"mytob" continues to be the most popular infection on PCs. We're not seeing any other wide-spread or significant infection/compromises. Please see the Past TAMU Security Announcements for more information.

Update -- 05/18/2005
New phpBB vulnerability discovered
A vulnerability caused due to an unspecified error in the URL and BB code handling functions. To resolve this issue, update to version 2.0.15 at http://www.phpbb.com/downloads.php
More Information:
http://secunia.com/advisories/15298/
Update -- 05/02/2005
New Sober Worm Variant Released
A new variant of the Sober worm is currently spreading on campus. This is the W32/Sober.p@MM worm. This is a mass mailing worm which spoofs the 'From:' line. The subject line will be:
Subject: Your Password
The body of the message will state:
Account and Password Information at attached!!
and contain an AntiVirus notice at the bottom of the message. The attachment will be a .zip file.
A Removal tool is available at http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html.
For further information, please see:
http://www.symantec.com/avcenter/venc/data/w32.sober.p@mm.html
http://vil.nai.com/vil/content/v_133409.htm
Update - 05/16/2005 -- Sober.Q
A version of the Sober worm is spreading German spam. More information can be found at:
http://vil.nai.com/vil/content/v_133684.htm
Update -- 03/23/2005
PLATFORM: Windows, Linux, Apache, IIS, PHP
NOTICE: A host on campus was compromised by a several-months-old vulnerability in phpbb (a free web server bulletin board). This package has had multiple vulnerabilities, and it has been reported that a tool exists to assist locating and compromising hosts running vulnerable phpbb versions.
phpbb uses PHP, but is an additional piece of code. If you're using phpbb package, please be sure you're running version 2.0.13. The web page for phpbb is http://www.phpbb.com/.
If you have a host on campus with port 80 open, we are re-scanning for vulnerabilities. You can check the firewall configuration of hosts that you own in NIM at https://firewall.tamu.edu/ . Please e-mail firewall@tamu.edu if you have firewall questions.
REFERENCE: http://www.kb.cert.org/vuls/id/497400

Update -- 04/13/2005
Microsoft Security Bulletin for April 2005 Released
Microsoft has released a Security Bulletin Summary for April, 2005. This summary contains several bulletins that address vulnerabilities in various Windows applications and components. Exploitation of some vulnerabilities can result in the remote execution of arbitratry code by a remote attacker.

Update -- 04/02/2005
Many of you have noticed unauthorized login attempts from off campus via ssh. We have started blocking these hosts at our firewall. So far today we have blocked a "rr.com" host, a "savvis.net" host, and a host from Korea. Accounts such as "root", "admin", "guest", "www", and "test" are targeted, as well as a dictionary of other names such as "patrick", "cliff", and so on. The attempts usually try a list of common passwords and try to gain access to your system. If you notice any of these attempts in your logs, you can mail us, but we'll be watching for them using some of our network software tools.

Update - October 29, 2004
New Beagle Variant Released - W32.Beagle.AV@mm
A new variant of the Beagle (Bagle) virus is spreading currently on campus. This is W32.Beagle.AV@mm (Symantec) or W32/Bagle.bb@mm (McAfee). This is a mass mailing worm which again spoofs the 'From:' line. The subject line will be:

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi
The attachment will be 'Price' or 'Joke'. This variant will open port 81 for listening on a victimized machine. It will also terminate Anti-Virus/Security products.
http://www.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html
http://vil.nai.com/vil/content/v_129509.htm

Update - September 28, 2004
New Beagle Variant Released - W32.Beagle.AR@mm
A new variant of the Beagle (Bagle) virus is spreading currently on campus. This is W32.Beagle.AR@mm (Symantec) or W32/Bagle.az@mm (McAfee). This is a mass mailing worm which again spoofs the 'From:' line. The subject line will be:

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi
The attachment will be 'Price' or 'Joke'. This attachment is a downloader, meaning it actually downloads from an external source.
For more information:
http: //www.symantec.com/avcenter/venc/data/w32.beagle.ar@mm.html
http://vil.nai.com/vil/con tent/v_128582.htm

Update - September 15, 2004
Microsoft Patch Released for JPEG Graphics Format Handling
Microsoft has released a patch for a major security flaw in its handling of JPEG graphics formats. A buffer overflow vulnerability in the Microsoft Windows GDI+JPEG parsing component could allow a remote attacker to execute arbitrary code on a vulnerable system by introducing a specially crafted JPEG file. This file can be introduced to a system through a malicious web page, HTML email, or an email attachment.
The patch to apply is described in Microsoft Security Bulletin MS04-028
For more information:
http://www.kb.cert.org/vuls/id/297462
http://news.zdnet.com/2100-1009_22-5366314.html
http://www.symantec.com/avcenter/security/Content/11173.html

Update - 08/03/2004
PuTTY vulnerability
For those of you who use PuTTy as an SSH client:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

2004-08-03 SECURITY HOLE, fixed in PuTTY 0.55

"PuTTY 0.55, released today, fixes a serious security hole which may allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. We recommend everybody upgrade to 0.55 as soon as possible."

Update - 07/19/2004
Variant of Beagle Spreading on Campus - W32/Bagle.ai@MM
Symantec is referring to this variant as W32.Beagle.AG@mm
A variant of the Beagle virus is currently spreading on campus. It is not being detected by most virus detection software right now, and looks like it may be a new variant called Beagle.AI This is a mass mailing worm will spoof the From: address and will have the following subject line:
Re:

It also has been reported to possibly open a backdoor on TCP port 1080 and will shut down virus protection processes on an infected machine.
http://vil.nai.com/vil/content/v_126798.htm
http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html
Removal Tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html

Update - 07/26/2004
Variant of MyDoom.
We've received a lot of questions about this one today. The following message with attached .zip file are not from us:
Dear user (valid-username)@tamu.edu,

Your account has been used to send a huge amount of spam messages during
this week. Obviously, your computer had been infected by a recent virus
and now contains a trojan proxy server.

Please follow the instruction in the attached file in order to keep your
computer safe.

Best wishes,
The tamu.edu support team.
This is a variant of MyDoom. For more information on this mass-mailer, please see the following:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html
Update - 07/14/2004
Microsoft Security Bulletins
Microsoft has released a series of Security Bulletins. Several of these have a risk rating of Critical. The bulletins are MS04-018 - MS04-024. It is recommended that all affected Microsoft machines be patched as soon as possible. For a full listing of these patches, and more information, see:
http://www.microsoft.com/technet/security/current.aspx
New Virus -- W32.Atak@mm

The atak worm is a mass-mailing worm that spreads by sending itself to email addresses gathered from an infected machine. The email will contain the following characteristics:
Subject:

Read the Result!
Important Data!

Message:
Authorized Researcher Only.
Attachment:
A .zip file that includes a copy of the worm
http://www.symantec.com/avcenter/venc/data/w32.atak@mm.html
http://vil.nai.com/vil/content/v_126679.htm
Update - 06/25/2004
IIS 5 Web Server Compromises
Activity is currently spreading that affects compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems using Internet Explorer that visit these sites. JavaScript is appended to the bottom of web pages that may contain malicious code that will affect an end user system. The web sites do not appear to be compromised or defaced. The HTML source code must be viewed to find evidence of the attack.
Many anti-virus programs cannot detect this code. If it is detected, it will detect it as 'JS.Scob.Trojan'.
At this time there is no known patch. However, users can disable JavaScript to avoid the problem. IIS 5 administrators should check their web sites for signs of added JavaScript code.
http://www.us-cert.gov/current/current_activity.html#iis5
http://zdnet.com.com/2100-1105_2-5247187.html?tag=zdfd.newsfeed
http://isc.sans.org/diary.php?isc=d9606e39e451c3e609bffa96e6057e53
http://isc.sans.org/diary.php?date=2004-06-24

http://www.microsoft.com/security/incident/download_ject.mspx
http://www.f-secure.com/v-descs/scob.shtml

Update -- 05/14/2004
The Sasser worm attempts to exploit the LSASS vulnerability described in Microsof t Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. If you are seeing lots of connections to ports 445 (and possibly 5554 and 9996), you may be seeing traffic from an infected host. For more information on detecting and removing the worm from Windows computers, see
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html. http://vil.nai.com/vil/con tent/v_125008.htm
Prevention: Patch systems and/or disable IIS. Report infected Texas A&M hosts to us by mailing logs and time zone information to security@net.tamu.edu.

Update -- 04/27/2004
Multiple Virus on Campus
The Phatbot/Agobot worm is currently spreading across campus. It scans for NETBIOS shares and exploits common names/passwords for access. Propogation is also achieved through unpatched Windows boxes with the WebDAV, DCOM and Windows Workstation service vulnerabilities.
There are currently many variants of several different viruses spreading on campus right now. These viruses include Netsky (C-Z), MyDoom (A-G), and Beagle (A-W). More information and patches the the variants we are seeing the most can be found on the viruses page.
If you feel you may be infected, and are not sure how to check your machine, a good tool is Stinger from McAfee. This link will explain the tool and also show the viruses it searches for and removes.

Update -- 04/26/2004
IIS vulnerability being exploited
There is an attack under way on campus against Microsoft Windows systems, particularly those running SSL / https services. System owners should read and act on MS04-011 immediately: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Updated status will be posted on security.tamu.edu as/when new information is available.
03/19/2004
"Witty Worm"
A new worm has been released to exploit a vulnerability found in ISS' BlackICE products. Details about the vulnerability can be found here. The worm uses a source port of UDP 4000 in order to spread. To try to prevent the worm from spreading, we have blocked UDP port 4000 in and out of the campus firewall. If/when possible, we will add signatures for the worm to our dorm boxes to quarantine infected hosts.

Update -- 02/17/2004
New Virus -- W32/Bagle.B (Norton) or W32.Alua@mm (Symantec)
A new mass mailing email virus is spreading across campus. This virus will also open a backdoor on TCP port 8866. The email will have the following characteristics:
From: (address spoofed)
Subject: ID (random string)... thanks
Body
Yours ID (random string)
--
Thank

The attachement will be .exe.
Further Information:
http://vil.nai.com/vil/content/v_101030.htm
http://www.symantec.com/avcenter/venc/data/w32.alua@mm.html

Update -- 02/11/2004
Microsoft Warns of Security Flaw
Microsoft has released Security Bulletin MS04-007 documenting a security flaw in it's implementation of the networking protocol, Abstract Syntax Notation One (ASN.1). This code is used by many Windows applications, and if left unpatched, can allow a remote user to take control of the computer. This affects every machine running Windows NT, Windows 2000, Windows XP or Windows Server 2003.
The patch to fix this vulnerability can be found in Microsoft's Security Bulletin MS04-007. It is also a good idea at this time to check for other available updates at Microsoft Windows Update.
Further Information:
http://www.us-cert.gov/cas/techalerts/TA04-041A.html
http://www.securityfocus.com/news/8008

Update -- 01/26/2004
W32/Mydoom@MM (AKA... W32.Novarg.A@mm)
A new mass mailing worm with a spoofed 'From:' address and Subject Line. The attachment will have a varied file extension (.exe, .pif, .cmd, .scr). The message contains Unicode characters and has been sent as a binary attachment. A DDOS will be performed by infected machines against www.sco.com on February 1.
http://vil.nai.com/vil/content/v_100983.htm
http://www.f-secure.com/v-descs/novarg.shtml
http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
Update -- 01/28/2004
Mydoom.B
A variant of Mydoom.A. This mass emailing worm contains similar email structue and will perform a DDOS against www.microsoft.com.
http://www.f-secure.com/v-descs/mydoom_b.shtml
http://www.us-cert.gov/cas/techalerts/TA04-028A.html
http://www.symantec.com/avcenter/venc/data/w32.mydoom.b@mm.html

Update -- 01/18/2004
32.Beagle.A (AKA "Bagle")
Symantec reports a new mass-mailing worm affecting Windows. The worm will work only until 28th of January. This worm will insert several files and registry keys on the system. It will also access remote websites, and email all contacts it can find. The emails sent by this worm will have the following characteristics:
Subject: Hi
Message:
Test =)

--
Test, yep.
Filename: .exe
Filesize: 16Kbytes
More information can be found at
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html

Update -- 01/13/2004
H.323 Vulnerability
Several vendors have reported vulnerabilities in their H.323 based Voice over Internet Protocol (VoIP) and video conferencing products. The vulnerability can be exploited with a malformed or otherwise illegal formated call signaling message that will result in a buffer overflow. The risks range from a Denial of Service to a possible remote system compromise.
Known Affected Products:

Cisco IOS devices that support H.323 packet processing
Microsoft ISA Server and Small Business Server
H.323 Implementations from Nortel and Tandberg

CERT Advisory (And listing of other systems affected):
http://www.cert.org/advisories/CA-2004-01.html

Update -- 11/18/2003
New Virus on Campus -- Mimail.J
Another variant of the Mimail worm has been released. This particular variant is a mass mailing worm, that also attempts to steal personal information. The worm will display a series of forms which will ask the user to enter his credit card information. This information is then sent to a pre-determined email address.
The email with the virus attached will appear to come from Do_Not_Reply@paypal.com with a subject line of IMPORTANT and a random stream of characters. The actual attachment is called InfoUpdate.exe or www.paypal.com.pif.
More information and a patch to remove the virus can be found at:
http://www.symantec.com/avcenter/venc/data/w32.mimail.j@mm.html
http://vil.nai.com/vil/content/v_100825.htm

New Virus on Campus -- Mimail
Several new variants of the Mimail email worm is spreading on campus. This worm will appear to come from james@<domain name> or john@<domain name> ie.. james@tamu.edu. The attachment in the email is photos.zip or readnow.zip. The worm affects Microsoft systems.
This virus captures information from a user's machine and emails it to specific mail addresses. It uses its own SMTP engine to perform the mass mailing.
More information on the worm can be found at:
W32.Mimail.C@mm - http://www.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html
http://vil.nai.com/vil/content/v_100795.htm
w32.Mimail.D@mm - http://www.symantec.com/avcenter/venc/data/w32.mimail.d@mm.html
W32.Mimail.E@mm - http://www.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html
http://vil.nai.com/vil/content/v_100797.htm

Update -- 10/02/2003
Multiple Vulnerabilities in SSL/TLS Implementations
CERT has released an advisory (CA-2003-26) concerning multiple vulnerabilities found in OpenSSL versions prior to 0.9.7c and 0.9.6k, multiple SSL/TLS implementations and SSLeay library. These vulnerabilities occur primarily in ASN.1 parsing code and could allow an attacker to execute arbitrary code.
To remove the vulnerability, upgrade OpenSSL or apply a patch. More information and links to the new versions can be found below.
http://www.cert.org/advisories/CA-2003-26.html

Update -- 10/02/2003
New Trojan Released -- QHosts-1 (McAfee)
Trojan.Qhosts (Symantec) is a trojan that will modify the TCP/IP settings of an infected machine to point to a different DNS server. Basically, when a browser request is made, the users are routed to specific DNS servers and a remote administrator can direct the user to a page of his choosing.
Trojans do not self-replicate. This must be spread manually with an executable. This relies on an Internet Explorer vulnerability to get installed on the local system.
http://vil.nai.com/vil/content/v_100719.htm
http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html

Update -- 09/16/2003
Open SSH Vulnerability Announced
All versions of OpenSSH prior to 3.7 contain a buffer management error. To fix this error, upgrade to version 3.7 or apply a patch found at:
http://www.openssh.com/txt/buffer.adv

Update -- 09/11/2003
New Microsoft Bulletin Released -- RPCSS Vulnerabilities
Microsoft has released Bulletin MS03-039 in reaction to three new vulnerabilities. Two of these vulnerabilities are remotely exploitable buffer overflows that may allow an attacker to execute arbitrary code. The third vulnerability could allow an attacker to cause a denial of service.
This bulletin applies to Windows NT, 2000, XP and Server 2003. The vulnerability lies in the Microsoft RPCSS service that manages Remote Procedure Calls (RPC).
For more information:
http://www.cert.org/advisories/CA-2003-23.html
http://www.securiteam.com/securitynews/5LP0B0AB5C.html

Update -- 09/10/2003
New Virus on Campus -- W32.Randex.F
A new variant of the Randex worm has been spreading on campus. The worm is W32.Randex.F. This is a network aware worm that copies itself as the following files:

\Admin$\system32\NETFD32.EXE
\c$\winnt\system32\NETFD32.EXE

When performing a scan on your suspected infected host, be sure to search for 'All Executables'.
One other note... An option available to prevent a Randex infected machine from attacking your machine is to disable "NULL user account enumeration". This will prevent the worm from determining what accounts are on your system, and will prevent your users from being locked out.
More information can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.f.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.F

Update -- 09/01/2003
CIS is scanning ResNet for infected Microsoft Windows systems due to the recent worms released (Blaster and Welchia). If your machine is found to be infected, the network port will be disabled. All Microsoft systems must be patched to prevent infection by these viruses.
CIS has prepared a special CD (called TAMUScan) that contains the security patches from Microsoft and McAfee anti-virus software. Copies of these CD's and instructions have been distributed in the Residence Halls. Copies of the CD's are also available at the Networking Help Desk. Copies of the Instructions can be found at https://hdc.tamu.edu/tamuscan.
Also, CIS has found a large number of ResNet systems that have features enabled called 'Internet Connection Sharing' and 'DHCP'. Enabling these features causes problems for other ResNet users and must be turned off. Instructions on turning off this feature can be found at https://hdc.tamu.edu/ics.

Update -- 08/04/2003
New Virus on Campus -- W32/Mimail.A@MM
A new email worm is spreading on campus. This worm will appear to come from admin@<domain name> ie.. admin@tamu.edu. The attachment in the email is message.zip. The worm affects Microsoft systems.
This virus captures information from a user's machine and emails it to specific mail addresses. It takes advantage of a known vulnerability and the Microsoft patch for that vulnerability can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;330994 .
More information on the worm can be found at:
http://www.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html
http://vil.nai.com/vil/content/v_100523.htm

Update - 06/26/2003
New Virus on Campus -- W32.Sobig.E@mm
A new variant of the Sobig worm has been released. The worm is the Sobig.E worm (W32.Sobig.E@mm). This is a mass mailing, worm that spreads itself to other email addresses found in specific documents on the infected machine.
The email sent out will have a varied subject line (Re: Application, Re: Movie, Re: Documents, etc... ) and will spoof the "From:" address. The attachment will be any of the following:

your_details.zip (contains details.pif)
application.zip (contains application.pif)
document.zip (contains document.pif)
screensaver.zip (contains sky.world.scr)
movie.zip (contains Movie.pif)

More information can be found here: http://www.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html
http://vil.nai.com/vil/content/v_100429.htm
A Removal tool can be found here: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.removal.tool.html

Update - 06/05/2003
New Virus on Campus -- W32.Bugbear.B@mm
A new variant of the Bugbear worm has been released. The worm is the Bugbear.B worm (W32.Bugbear.B@mm). This is a mass mailing, polymorphic worm that can also spread through network shares. It infects a select list of executable files, has keystroke-logging and backdoor capabilities, and will attempt to end anti-virus software processes.
The email sent out will have a varied subject line and will spoof the "From:" address. The attachment will also contain any number of varied extensions.
More information can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html
http://vil.nai.com/vil/content/v_100358.htm
A removal tool can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.removal.tool.html

Update - 06/02/2003
New Virus on Campus -- W32.Sobig.C@mm
A new variant of the Sobig worm has been released. The worm is the Sobig.C worm (W32.Sobig.C@mm). It is a mass mailing worm that spreads itself to other email addresses found in specific documents on the infected machine.
The mail message could appear to be from bill@microsoft.com (or any other address as this new variant spoofs the From: email address) and will contain subject lines such as:

Re: Movie
Re: Submitted (004756-3463)
Re: Approved
Approved
Re: Your Application

The attachment will be a .pif or a .scr file and is executable on Windows machines. More information can be found at:
http://www.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html
http://vil.nai.com/vil/content/v_100343.htm
A removal tool can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c.removal.tool.html

Update - 05/19/2003
New Virus on Campus -- W32.Sobig.B@mm
Note - 05/20/2003
Symantec was previously referring to this virus as W32.HLLW.Mankx@mm and McAffee refers to it as W32/Palyh@MM.
A new virus has been found to be spreading through campus. The virus is the Sobig.B worm (W32.Sobig.B@mm). It is a mass mailing worm that spreads itself to other email addresses found in specific documents on the infected machine.
The mail message will appear to be from support@microsoft.com and will contain subject lines such as:

Approved (Ref: 38446-263)
Your password
Screensaver
Cool screensaver

The attachment will be a .pif file and is executable on Windows machines. More information can be found at:
http ://www.symantec.com/avcenter/venc/data/w32.hllw.mankx@mm.html
http://vil.nai.com/vil/con tent/v_100307.htm
A removal tool can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.h llw.mankx.removal.tool.html

Update - 03/29/2003
Sendmail Vulnerability Discovered
A buffer overflow in sendmail with versions prior to 8.12.9 has been discovered. An announcement on bugtraq states that "an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS."

The bugtraq article can be found her e.
Links to the sendmail upgrade are below. Please refer to the bugtraq article for information about the MD5 signatures and the key used to create the PGP signature.

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig

Update -- 03/18/2003
New Buffer Overflow Vulnerability in IIS
A buffer overflow vulnerability that affects systems running Microsoft Windows 2 000 with IIS 5.0 enabled has been found. This vulnerability exploits an uncheck ed buffer in the WebDAV protocol of Windows 2000. An attacker could cause the s erver to fail or execute code on the victim's machine. More information on this vulnerability and the patch availability can be found below.
http://www.microsoft.com/technet/treeview/default.as p?url=/technet/security/bulletin/ms03-007.asp
http://www.cert.org/adv isories/CA-2003-09.html
Update - 03/04/2003
Sendmail Vulnerability Discovered
A new vulnerability has been found in Sendmail Mail Transfer Agent. The vulnera bility is due to a buffer overflow condition in the SMTP header parsing component. This vulnerability can be exploited allowing the attacker to gain the privileges of the sendmail daemon, normally root. Both Unix and Windows systems are vulnerable. For more information:
http://www.cert.org/advisories/CA-2003-07.html
http://www.symantec.com/avcenter/security/Content/3.3.2003.html http://www.sendmail.org/
Update - 02/11/2003
The campus firewall default configuration has been modified so that outgoing TCP port 445 is now closed. Incoming TCP 445 was already closed. Hosts that previously had requested port 445 be opened for them will continue to have that port open (both incoming and outgoing). Future requests to open port 445 will need to be sent to firewall@tamu.edu.
Update - 02/06/2003
TCP and UDP ports 1433 and 1434 have been closed due to the Microsoft SQL Server 2000 worm. The ports will remain closed until it is confirmed that all infected hosts have been patched.
Impact to Customers: Campus hosts will not be able to communicate over tcp and udp ports 1433 and 1434 with hosts off campus.

CIS Network Security Team - Texas A&M University
Send comments to security@net.tamu.edu