EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>
Subject: CVS vulnerability
From: "Jeff Hill" <[email protected]>
To: <[email protected]>
Date: Fri, 28 May 2004 15:11:11 -0600 
Hopefully, none of our colleagues have exported the port of a CVS server
through their firewall. An example setup which might be likely to experience
malicious abuse would be allowing direct read only anonymous access to a CVS
server. See attached.

Jeff

>>-----BEGIN PGP SIGNED MESSAGE-----
>>
>>A DOE site reported that one of their systems was quite likely 
>>compromised through a recently announced CVS vulnerability. They 
>>discovered this because a second DOE site reported seeing probes for 
>>the vulnerability by several foreign IP addresses. Those IP addresses 
>>and the UTC times that were seen at the second site
>>are:
>>
>>May 23 17:43:29 62.87.235.95
>>May 23 19:03:24 217.96.8.158
>>May 23 20:09:53 217.120.30.217
>>May 23 20:24:35 218.42.151.179 *
>>May 23 20:49:28 80.139.250.197 *
>>May 24 10:53:41 82.149.228.89 *
>>May 24 10:59:04 82.149.228.89 *
>>May 24 13:42:48 213.149.96.50
>>May 24 14:11:09 217.120.30.217
>>May 24 16:34:46 62.80.126.39
>>
>>
>>The three IP addresses with "*" were also seen on the compromised 
>>system at the first DOE site. The second site also reported that the 
>>sequence of CVSROOT directories tried is precisely the sequence in the 
>>exploit code which can be seen at
>>
>>http://packetstormsecurity.nl/0405-exploits/cvs_linux_freebsd_HEAP.c
>>
>>CIAC suggests that the DOE sites look for suspicious connections with 
>>these and other IP addresses to their CVS servers. Vulnerable servers 
>>can be patched according to CIAC Bulletin O-147: Linux CVS Server Heap 
>>Overflow Vulnerability.
>>
>>
>>
>>________________________________________________________________________
>>                The Computer Incident Advisory Capability
>>                           ___ __ __   _    ___
>>                          /      |    / \  /
>>                          \___ __|__ /___\ \___ 
>>______________________________________________________________________

Jeff
__________________________________________________________
Jeffrey O. Hill               Mail         [email protected]
LANL MS H820                  Voice        505 665 1831
Los Alamos NM 87545 USA       Fax          505 665 5107
Navigate by Date:
Prev: EtherIP & AB PLC's D Wetherholt
Next: RE: EtherIP & AB PLC's Rarback, Harvey
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: RE: EtherIP & AB PLC's Rarback, Harvey
Next: help building StripTool and caSnooper under EPICS R3.14.6 Kevin Tsubota
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  <20042005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
ANJ, 10 Aug 2010 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·