home *** CD-ROM | disk | FTP | other *** search
- ===========================================================================
- CA-92:03 CERT Advisory
- February 17, 1992
- Internet Intruder Activity
-
- ---------------------------------------------------------------------------
-
- The Computer Emergency Response Team/Coordination Center (CERT/CC) has
- received information regarding a significant intrusion incident on the
- Internet. Systems administrators should be aware that many systems on
- the Internet have been compromised due to this activity. To identify
- whether your systems have been affected by the activity we recommend
- that all system administrators check for the signs of intrusion
- detailed in this advisory.
-
- This advisory describes the activities that have been identified as
- part of this particular incident. This does not address the
- possibility that systems may have been compromised due to other,
- unrelated intrusion activity.
-
- ---------------------------------------------------------------------------
-
- I. Description
-
- The intruders gained initial access to a host by discovering a
- password for a user account on the system. They then attempted
- to become root on the compromised system.
-
- II. Impact
-
- Having gained root access on a system, the intruders installed
- trojan binaries that captured account information for both
- local and remote systems. They also installed set-uid root
- shells to be used for easy root access.
-
- III. Solution
-
- A. Check your systems for signs of intrusion due to this incident.
-
- 1. Check the su, ftpd, and ftp binaries (for example, "/bin/su",
- "/usr/ucb/ftp" and "/usr/etc/in.ftpd" on Sun systems)
- against copies from distribution media.
-
- 2. Check for the presence of any of the following files:
- "/usr/etc/..." (dot dot dot), "/var/crash/..." (dot dot dot),
- "/usr/etc/.getwd", "/var/crash/.getwd", or
- "/usr/kvm/..." (dot dot dot).
-
- 3. Check for the presence of "+" in the "/etc/hosts.equiv" file.
-
- 4. Check the home directory for each entry in the "/etc/passwd"
- file for the presence of a ".rhosts" file containing
- "+ +" (plus space plus).
-
- 5. Search the system for the presence of the following set-uid
- root files: "wtrunc" and ".a".
-
- 6. Check for the presence of the set-uid root file "/usr/lib/lpx".
-
-
- B. Take the following steps to secure your systems.
-
- 1. Save copies of the identified files to removable media.
-
- 2. Replace any modified binaries with copies from
- distribution media.
-
- 3. Remove the "+" entry from the "/etc/hosts.equiv" file and
- the "+ +" (plus space plus) entry from any ".rhosts" files.
-
- 4. Remove any of the set-uid root files that you find, which are
- mentioned in A5 or A6 above.
-
- 5. Change every password on the system.
-
- 6. Inspect the files mentioned in A2 above for references
- to other hosts.
-
- ---------------------------------------------------------------------------
-
- If you believe that your system has been compromised, contact CERT/CC or
- your representative in FIRST (Forum of Incident Response and Security Teams).
-
- Internet E-mail: cert@cert.sei.cmu.edu
- Telephone: 412-268-7090 (24-hour hotline)
- CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
- on call for emergencies during other hours.
-
- Computer Emergency Response Team/Coordination Center (CERT/CC)
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh, PA 15213-3890
-
- Past advisories, information about FIRST representatives, and other
- information related to computer security are available for anonymous ftp
- from cert.sei.cmu.edu (192.88.209.5).
-
-
