118 lines
5.3 KiB
Plaintext
118 lines
5.3 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
|
|
CA-89:03
|
|
CERT Advisory
|
|
August 16, 1989
|
|
Telnet Breakin Warning
|
|
|
|
- ----------------------------------------------------------------------------
|
|
|
|
Many computers connected to the Internet have recently experienced
|
|
unauthorized system activity. Investigation shows that the activity
|
|
has occurred for several months and is spreading. Several UNIX
|
|
computers have had their "telnet" programs illicitly replaced with
|
|
versions of "telnet" which log outgoing login sessions (including
|
|
usernames and passwords to remote systems). It appears that access
|
|
has been gained to many of the machines which have appeared in some of
|
|
these session logs. (As a first step, frequent telnet users should
|
|
change their passwords immediately.) While there is no cause for
|
|
panic, there are a number of things that system administrators can do
|
|
to detect whether the security on their machines has been compromised
|
|
using this approach and to tighten security on their systems where
|
|
necessary. At a minimum, all UNIX site administrators should do the
|
|
following:
|
|
|
|
o Test telnet for unauthorized changes by using the UNIX "strings"
|
|
command to search for path/filenames of possible log files. Affected
|
|
sites have noticed that their telnet programs were logging information
|
|
in user accounts under directory names such as "..." and ".mail".
|
|
|
|
In general, we suggest that site administrators be attentive to
|
|
configuration management issues. These include the following:
|
|
|
|
|
|
o Test authenticity of critical programs - Any program with access to
|
|
the network (e.g., the TCP/IP suite) or with access to usernames and
|
|
passwords should be periodically tested for unauthorized changes.
|
|
Such a test can be done by comparing checksums of on-line copies of
|
|
these programs to checksums of original copies. (Checksums can be
|
|
calculated with the UNIX "sum" command.) Alternatively, these
|
|
programs can be periodically reloaded from original tapes.
|
|
|
|
o Privileged programs - Programs that grant privileges to users (e.g.,
|
|
setuid root programs/shells in UNIX) can be exploited to gain
|
|
unrestricted access to systems. System administrators should watch
|
|
for such programs being placed in places such as /tmp and /usr/tmp (on
|
|
UNIX systems). A common malicious practice is to place a setuid shell
|
|
(sh or csh) in the /tmp directory, thus creating a "back door" whereby
|
|
any user can gain privileged system access.
|
|
|
|
o Monitor system logs - System access logs should be periodically
|
|
scanned (e.g., via UNIX "last" command) for suspicious or unlikely
|
|
system activity.
|
|
|
|
o Terminal servers - Terminal servers with unrestricted network access
|
|
(that is, terminal servers which allow users to connect to and from
|
|
any system on the Internet) are frequently used to camouflage network
|
|
connections, making it difficult to track unauthorized activity.
|
|
Most popular terminal servers can be configured to restrict network
|
|
access to and from local hosts.
|
|
|
|
o Passwords - Guest accounts and accounts with trivial passwords
|
|
(e.g., username=password, password=none) are common targets. System
|
|
administrators should make sure that all accounts are password
|
|
protected and encourage users to use acceptable passwords as well as
|
|
to change their passwords periodically, as a general practice. For
|
|
more information on passwords, see Federal Information Processing
|
|
Standard Publication (FIPS PUB) 112, available from the National
|
|
Technical Information Service, U.S. Department of Commerce,
|
|
Springfield, VA 22161.
|
|
|
|
o Anonymous file transfer - Unrestricted file transfer access to a
|
|
system can be exploited to obtain sensitive files such as the UNIX
|
|
/etc/passwd file. If used, TFTP (Trivial File Transfer Protocol -
|
|
which requires no username/password authentication) should always be
|
|
configured to run as a non-privileged user and "chroot" to a file
|
|
structure where the remote user cannot transfer the system /etc/passwd
|
|
file. Anonymous FTP, too, should not allow the remote user to access
|
|
this file, or any other critical system file. Configuring these
|
|
facilities to "chroot" limits file access to a localized directory
|
|
structure.
|
|
|
|
o Apply fixes - Many of the old "holes" in UNIX have been closed.
|
|
Check with your vendor and install all of the latest fixes.
|
|
|
|
|
|
If system administrators do discover any unauthorized system activity,
|
|
they are urged to contact the Computer Emergency Response Team (CERT).
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
Computer Emergency Response Team (CERT)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
|
|
7:30a.m.-6:00p.m. EST, on call for
|
|
emergencies other hours.
|
|
|
|
Past advisories and other information are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwaHVP+x0t4w7BAQEDZgP/cqyLMF6jNCb5KUyu1cvV16V5iqyr+6NU
|
|
+Bv7nAslpa68gVA2H1lAj/ckorE8TiN8Dca5L8vRi7xdb8aZdJreuhq04Ca6378R
|
|
g5heP3PfvrfFSC/uOPmKsZNEXyEKEcM3oUXp+7t0VCf/e5CmV2TOTKp83GRbaFma
|
|
6CJhBW59YnE=
|
|
=FF2b
|
|
-----END PGP SIGNATURE-----
|
|
|