Educause Security Discussion mailing list archives
cyber alert level raised
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Thu, 22 Apr 2004 19:24:09 -0500
In response to observed active exploit[1] of the PCT vulnerability[2], announced in Microsoft Bulletin MS04-011[3], some AV vendors have raised alert status. The IT-ISAC reports that some IDS are "detecting and blocking attacks against many institutions. The attacks are attempting to steal data and/or break into payment systems." US-CERT reports that it is "aware of network activity that is consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp." REN-ISAC monitoring of port 443 traffic[4] on the Internet2 Abilene network does indicate elevated levels of activity. According to the US-CERT overview of the vulnerability: "A vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Exploitation of this vulnerability may permit a remote attacker to compromise the system. An exploit for this issue currently being used to compromise vulnerable systems running SSL-enabled IIS 5.0. Note the vulnerability exists in any SSL-enabled program which is running on vulnerable Windows systems. Windows 2003 Server is not affected if PCT is disabled." MS04-11 is effective in patching against the exploit. [1] http://www.us-cert.gov/current/current_activity.html#pct [2] http://www.kb.cert.org/vuls/id/586540 [3] http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx [4] http://www.ren-isac.net/monitoring/port.cgi?port-443 Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- cyber alert level raised Doug Pearson (Apr 22)