The line in the "A" paragraph below that begins with "/bin/ps" was inadvertently left out of ASSIST 94-02. This paragraph was in the "DETECTION" section of the bulletin.
A. Trojan horse programs: the intruders has been found to replace one or more of the following programs with a trojan horse version in conjunction with this attack:
/usr/etc/in.telnetd and
/bin/login - used to provide back-door access to the
intruders to retrieve the information
process
/bin/ps - used to disguise the network monitoring process Because the intruders install trojan horse variations of commands such as the standard Unix sum(1) or cmp(1) until these programs can be restored from distribution cd-rom), or verified using cryptographic checksum In addition to the possibility of having the checksum programs mentioned above may have been engineered to produce the same standard checksum as the legitimate are not sufficient to determine whether the programs have been replaced.
ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins, and other security related information, is available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil (IP address 137.130.234.30). Note: assist.ims.disa.mil will only accept anonymous ftp connections from Milnet addresses.
ASSIST contact information:
PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday
through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop".
Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key
encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future.