93 lines
3.6 KiB
Plaintext
93 lines
3.6 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
|
|
CA-89:06
|
|
CERT Advisory Update
|
|
October 18, 1989
|
|
DEC/Ultrix 3.0 Systems
|
|
- -----------------------------------------------------------------------------
|
|
|
|
|
|
This is a repost of the Ultrix 3.0 advisory. We have received the sum
|
|
output for DECstations.
|
|
=============================================================================
|
|
|
|
Recently, the CERT/CC has been working with several Unix sites that have
|
|
experienced breakins. Running tftpd, accounts with guessable passwords
|
|
or no passwords, and known security holes not being patched have been the
|
|
bulk of the problems.
|
|
|
|
The intruder, once in, gains root access and replaces key programs
|
|
with ones that create log files which contain accounts and passwords in
|
|
clear text. The intruder then returns and collects the file. By using
|
|
accounts which are trusted on other systems the intruder then installs
|
|
replacement programs which start logging.
|
|
|
|
There have been many postings about the problem from several other net
|
|
users. In addition to looking for setuid root programs in users' home
|
|
directories, hidden directories '.. ' (dot dot space space), and a modified
|
|
telnet program, we have received two reports from Ultrix 3.0 sites that
|
|
the intruders are replacing the /usr/bin/login program. The Ultrix security
|
|
hole being used in these attacks is only found in Ultrix 3.0.
|
|
|
|
Suggested steps:
|
|
1) Check for a bogus /usr/bin/login. The sum program should report
|
|
the following for the DEC supplied login program.
|
|
27379 67 for VAXstation Ultrix 3.0
|
|
35559 116 for DECstation Ultrix 3.0
|
|
|
|
2) Check for a bogus /usr/etc/telnetd. The sum program should report
|
|
the following for the DEC supplied telnetd program.
|
|
23552 47 for VAXstation Ultrix 3.0
|
|
45355 84 for DECstation Ultrix 3.0
|
|
|
|
3) Look for .savacct in either /usr/etc or in users' directories.
|
|
This may be the file that the new login program creates. It
|
|
could have a different name on your system.
|
|
|
|
4) Upgrade to Ultrix 3.1 ASAP.
|
|
|
|
5) Monitor accounts for users having passwords that can be found in
|
|
the /usr/dict/words file or have simple passwords like a persons
|
|
name or their account name.
|
|
|
|
6) Search through the file system for programs that are setuid root.
|
|
|
|
7) Disable or modify the tftpd program so that anonymous access to
|
|
the file system is prevented.
|
|
|
|
If you find that a system that has been broken into, changing the password
|
|
on the compromised account is not sufficient. The intruders do remove copies
|
|
of the /etc/passwd file in order to break the remaining passwords. It is best
|
|
to change all of the passwords at one time. This will prevent the intruders
|
|
from using another account.
|
|
|
|
Please alert CERT if you do find a problem.
|
|
|
|
Thank you,
|
|
- ---------------------------------------------------------------------------
|
|
Computer Emergency Response Team (CERT)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
|
|
7:30a.m.-6:00p.m. EST, on call for
|
|
emergencies other hours.
|
|
|
|
Past advisories and other information are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwcXVP+x0t4w7BAQGuoQP/XyZnaWX/wpmk0BtnKErHwEEiyh62xrz6
|
|
Bdcgzn4ncNHBAg67zOmWxWn7w5jLJMlkWRknXuo9AdHrAMJB7kTFFzCEjIqsgF40
|
|
7Rem2oBeAflMYRnJf70nZ37TW4y/5N/cVaSuP3X6UWQkEsCSnR95RRALGWbkxPz6
|
|
OV8/BmX/9lc=
|
|
=X2dc
|
|
-----END PGP SIGNATURE-----
|
|
|