|
CIAC Advisory number A- 19
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
ADVISORY NOTICE
________________________________________________________________________
UNIX Internet Attack Advisory
February 23, 1990, 1500 PST Number A-19
CIAC has learned of a large number of attacks on UNIX machines connected to the
Internet. There are several groups of attackers using a variety of different
methods to break into systems. One method is to use tftp to steal the password
file. Another is to use sendmail to append additional entries onto .rhost
files. Still another is to login to unpassworded system accounts and "Joe"
accounts (in which the username and password are identical). Many of the
attackers then exploit unpatched vulnerabilities to obtain root privileges.
Using the root account, some have installed a modified version of /bin/login.
Modifications to /etc/utmp, /etc/wtmp, and /usr/adm/lastlog have also been made
to mask the intrusion. The motivation for intrusion largely appears to be use
of machine time rather than destruction of files or damage to systems.
However, cases of malicious activity have also been observed. This intrusion
activity is widespread, and is usually difficult to detect.
CIAC recommends that you take the following actions:
1. Ensure that you have installed any applicable patches (e.g., for tftp,
restore/ dump, etc.--see previous CIAC bulletins) in your UNIX system. (CIAC is
currently preparing a checklist to help you verify that you have installed all
the applicable patches.)
2. Regularly perform an integrity check on /bin/login
3. Check for unpassworded accounts and "Joe" accounts--CIAC can supply DOE sites
with a copy of the Security Profile Inspector, a UNIX password checking tool
4. Look for suspicious connections from the University of Texas and Dartmouth
University
5. Look for strange files in /tmp
Neither the United States Government nor the University of California nor any of
their employees, makes any warranty, expressed or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor the
University of California, and shall not be used for advertising or product
endorsement purposes.
|
|
