233 lines
10 KiB
Plaintext
233 lines
10 KiB
Plaintext
|
|
|
|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
|
/* *\
|
|
/ * * \
|
|
/ * * \
|
|
/ * * \
|
|
/ * System Vulnerabilities * \
|
|
| * * |
|
|
| * * |
|
|
| * * |
|
|
| * Another Modernz Presentation * |
|
|
| * * |
|
|
\ * by * /
|
|
\ * Multiphage * /
|
|
\ * * /
|
|
\ * (C)opyright May 25th, 1992 * /
|
|
\ * */
|
|
*********************************************************
|
|
|
|
|
|
|
|
|
|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
|
*******************************************************************************
|
|
The Modernz can be contacted at:
|
|
|
|
MATRIX BBS
|
|
WOK-NOW!
|
|
World of Kaos NOW!
|
|
World of Knowledge NOW!
|
|
St. Dismis Institute
|
|
- Sysops: Wintermute
|
|
Digital-demon
|
|
(908) 905-6691
|
|
(908) WOK-NOW!
|
|
(908) 458-xxxx
|
|
1200/2400/4800/9600
|
|
14400/19200/38400
|
|
Home of Modernz Text Philez
|
|
|
|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
|
|
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
|
|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
|
|
|
TANSTAAFL
|
|
Pheonix Modernz
|
|
The Church of Rodney
|
|
- Sysop: Tal Meta
|
|
(908) 830-TANJ
|
|
(908) 830-8265
|
|
Home of TANJ Text Philez
|
|
|
|
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
|
|
|
|
CyberChat
|
|
Sysop: Hegz
|
|
(908)506-6651
|
|
(908)506-7637
|
|
300/1200/2400/4800/9600
|
|
14400/19200/38400
|
|
Modernz Site
|
|
TLS HQ
|
|
|
|
<><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><><
|
|
|
|
The Global Intelligence Center
|
|
World UASI Headquarters!
|
|
Pennsylvania SANsite!
|
|
(412) 475-4969 300/1200/2400/9600
|
|
24 Hours! SysOp: The Road Warrior
|
|
|
|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
|
|
|
|
The Lost Realm
|
|
Western PA UASI site!
|
|
Western PA. SANfranchise
|
|
(412) 588-5056 300/1200/2400
|
|
SysOp: Orion Buster
|
|
|
|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
|
|
|
|
The Last Outpost
|
|
PowerBBS Support Board
|
|
UASI ALPHA Division
|
|
NorthWestern PA UASI site!
|
|
(412) 662-0769 300/1200/2400
|
|
24 hours! SysOp: The Almighty Kilroy
|
|
|
|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
|
|
|
|
Hellfire BBS
|
|
SANctuary World Headquarters!
|
|
New Jersey UASI site!
|
|
(908) 495-3926 300/1200/2400
|
|
24 hours! SysOp: Red
|
|
|
|
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
|
|
|
|
BlitzKreig BBS
|
|
Home of TAP
|
|
(502)499-8933
|
|
|
|
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
|
|
|
|
|
|
|
|
I. Description
|
|
|
|
The Michelangelo virus is a computer virus that affects PCs
|
|
running MS-DOS (and PC-DOS, DR-DOS, etc.) versions 2.xx and
|
|
higher. Note, however, that although the virus can only execute
|
|
on PCs running these versions of DOS, it can infect and damage PC
|
|
hard disks containing other PC operating systems including UNIX,
|
|
OS/2, and Novell. Thus, booting an infected DOS floppy disk on
|
|
a PC that has, for example, UNIX on the hard disk would infect
|
|
the hard disk and would probably prevent the UNIX disk from
|
|
booting. The virus infects floppy disk boot sectors and hard
|
|
disk master boot records (MBRs). When the user boots from an
|
|
infected floppy disk, the virus installs itself in memory and
|
|
infects the partition table of the first hard disk (if found).
|
|
Once the virus is installed, it will infect any floppy disk that
|
|
the user accesses.
|
|
|
|
Some possible, though not conclusive, symptoms of the
|
|
Michelangelo virus include a reduction in free/total memory by
|
|
2048 bytes, and some floppy disks that become unusable or display
|
|
"odd" graphic characters during "DIR" commands. Additionally,
|
|
integrity management products should report that the MBR has been
|
|
altered.
|
|
|
|
Note that the Michelangelo virus does not display any messages on
|
|
the PC screen at any time.
|
|
|
|
II. Impact
|
|
|
|
The Michelangelo virus triggers on any March 6. On that date,
|
|
the virus overwrites critical system data, including boot and
|
|
file allocation table (FAT) records, on the boot disk (floppy or
|
|
hard), rendering the disk unusable. Recovering user data from a
|
|
disk damaged by the Michelangelo virus will be very difficult.
|
|
|
|
III. Solution
|
|
|
|
Many versions of anti-virus software released after approximately
|
|
October 1991 will detect and/or remove the Michelangelo virus.
|
|
This includes numerous commercial, shareware, and freeware
|
|
software packages. Since this virus was first detected around
|
|
the middle of 1991 (after March 6, 1991), it is crucial to use
|
|
current versions of these products, particularly those products
|
|
that search systems for known viruses.
|
|
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
===========================================================================
|
|
Internet Intruder Activity
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
Information regarding a significant intrusion incident on the
|
|
Internet. Systems administrators should be aware that many systems on
|
|
the Internet have been compromised due to this activity. To identify
|
|
whether your systems have been affected by the activity we recommend
|
|
that all system administrators check for the signs of intrusion
|
|
detailed in this advisory.
|
|
|
|
This advisory describes the activities that have been identified as
|
|
part of this particular incident. This does not address the
|
|
possibility that systems may have been compromised due to other,
|
|
unrelated intrusion activity.
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
The intruders gained initial access to a host by discovering a
|
|
password for a user account on the system. They then attempted
|
|
to become root on the compromised system.
|
|
|
|
II. Impact
|
|
|
|
Having gained root access on a system, the intruders installed
|
|
trojan binaries that captured account information for both
|
|
local and remote systems. They also installed set-uid root
|
|
shells to be used for easy root access.
|
|
|
|
III. Solution
|
|
|
|
A. Check your systems for signs of intrusion due to this incident.
|
|
|
|
1. Check the su, ftpd, and ftp binaries (for example, "/bin/su",
|
|
"/usr/ucb/ftp" and "/usr/etc/in.ftpd" on Sun systems)
|
|
against copies from distribution media.
|
|
|
|
2. Check for the presence of any of the following files:
|
|
"/usr/etc/..." (dot dot dot), "/var/crash/..." (dot dot dot),
|
|
"/usr/etc/.getwd", "/var/crash/.getwd", or
|
|
"/usr/kvw/..." (dot dot dot).
|
|
|
|
3. Check for the presence of "+" in the "/etc/hosts.equiv" file.
|
|
|
|
4. Check the home directory for each entry in the "/etc/passwd"
|
|
file for the presence of a ".rhosts" file containing
|
|
"+ +" (plus space plus).
|
|
|
|
5. Search the system for the presence of the following set-uid
|
|
root files: "wtrunc" and ".a".
|
|
|
|
6. Check for the presence of the set-uid root file "/usr/lib/lpx".
|
|
|
|
|
|
B. Take the following steps to secure your systems.
|
|
|
|
1. Save copies of the identified files to removable media.
|
|
|
|
2. Replace any modified binaries with copies from
|
|
distribution media.
|
|
|
|
3. Remove the "+" entry from the "/etc/hosts.equiv" file and
|
|
the "+ +" (plus space plus) entry from any ".rhosts" files.
|
|
|
|
4. Remove any of the set-uid root files that you find, which are
|
|
mentioned in A5 or A6 above.
|
|
|
|
5. Change every password on the system.
|
|
|
|
6. Inspect the files mentioned in A2 above for references
|
|
to other hosts.
|
|
|
|
---------------------------------------------------------------------------
|