home *** CD-ROM | disk | FTP | other *** search
-
- ________________________________________________________________
-
-
- CIAC
- Computer Incident Advisory Capability
-
- Information Bulletin
- ________________________________________________________________
-
-
- October 9, 1989
- Notice A-1
-
- CIAC (the Computer Incident Advisory Capability) has learned
- of a series of attacks on a set of UNIX computers attached to the
- Internet. This series of attacks targets anonymous ftp to gain access
- to the password file, then uses accounts from that file that use
- easily guessed passwords to gain access to the machine. Once access
- is gained to the machine, a trojan horse is installed in the Telnet
- program (as described in a previous CIAC bulletin) to record further
- user accounts and passwords. The TFTP facility has also been utilized
- in this sequence of breakins. This bulletin describes the nature of
- the threat, and suggests a procedure to protect your computers.
-
- This is a limited distribution information bulletin to warn
- your site of a series of hacker/cracker attacks on the Internet. This
- bulletin is being sent to you because our records indicate that your
- site is connected to the Internet. Please inform CIAC if this is not
- true. Also, if you are not the CPPM or CSSM for your site, will you
- please promptly forward this bulletin to that person or persons?
-
- There has been a series of breakins into UNIX machines
- connected to the Internet. These breakins at first were largely into
- systems in North and South Carolina, but they have spread rapidly.
- They appear to be the work of a group of hackers with fairly
- identifiable patterns of attack. You should be aware of these attack
- patterns, and should take measures described below to prevent breakins
- at your site.
-
- The attackers are using anonymous ftp (the ability to use ftp
- as a guest) to obtain copies of an encrypted password file for a
- machine. They then decrypt passwords, and use them to log into an
- account on that machine. They become a root user, then install the
- trojan horse version of Telnet, about which CIAC alerted you nearly
- two months ago. This trojan horse collects passwords of Telnet users,
- which the hackers then use to break into other machines. The hackers
- are also using .rhost and host.equiv to gain entry into other systems
- once they have broken into a new machine. The TFTP facility is also
- used to gain access to a machine.
-
- The attackers have not been destroying files or damaging
- systems. To avoid being detected and/or monitored, however, they have
- many times waited for several weeks or even longer after obtaining
- passwords to break in to a system. This threat seems to center around
- systems that have not installed the distributed patches to already
- known vulnerabilities in the UNIX operating system.
-
- CIAC recommends that you take three courses of action:
-
- 1) Look for connections between machines in your network and
- host machines that would not normally be connected to your site. If
- many of these connections exist, there is a strong possibility that
- they may not be legitimate.
-
- Currently many of these unauthorized connections and attacks
- have been using:
-
- - universities in North and South Carolina
- - universities in Boston
- - universities and computer companies in the California
- Berkeley/Palo Alto area
-
- Any unusual and unexplained activity from these locations are worth
- special attention, as they are likely to be attacks.
-
- 2) Look for the Telnet trojan horse, using the command:
-
- strings `which telnet` | grep \@\(\#\) | grep on/off
-
- Any lines that are printed from this command indicate that you have
- been affected by the trojan horse. If you discover that you have been
- affected by the trojan horse program, please contact CIAC for recovery
- procedures.
-
- 3) If the host.equiv file contains a "+" unauthorized users
- can gain entry into a system. You should therefore inform system
- managers that they should remove "+" from any host.equiv files.
-
- Please refer questions to:
-
- CIAC, Thomas Longstaff
- Lawrence Livermore National Laboratory
- P.O. Box 808
- L-540
- Livermore, CA 94550
- (415) 423-4416 or (FTS) 543-4416
- longstaf@frostedflakes.llnl.gov
-
-
-
-