totse.com | CIAC Advisory number A- 21


	About


	Community


	Bad Ideas


	Drugs


	Ego


	Erotica


	Fringe


	Society

Technology

	Hack
		Hacker Zines
			CERT
			CHAL
			CHAOS
			CIAC
			CPD
			CPSR
			CRH
			CWD
			CuD
			CuD/A
			EFF
			LOL
			MOD
			Miscellaneous Phreak and Hacker Zines
			NIA
			RISKS
			UXU


	register \| bbs \| search \| rss \| faq \| about
	meet up \| add to del.icio.us \| digg it
	CIAC Advisory number A- 21 NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site. ________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________________ Additional Information on Current UNIX Internet Attacks March 16, 1990, 1145 PST Number A-21 This bulletin follows up CIAC Information Bulletin A-19, UNIX Internet Attack Advisory (notice A-19). Attacks on UNIX machines connecting to the Internet persist, and are a very widespread and serious threat. This bulletin provides additional information about detecting these attacks and procedures to follow to decreasing the likelihood of attack. This information specifically concerns SUN, ULTRIX, and BSD UNIX systems, but may be useful to system managers of other UNIX platforms. Even if you think systems are your site are not being attacked, it is important to recheck for evidences of intrusions and to adopt additional precautionary measures. 1. Intruders are using tftp to obtain password files. If possible use tftbootd in place of tftp. 2. The sendmail function has several problems which intruders can exploit. CIAC has been informed that sendmail is secure in the latest version of Ultrix and BSD (versions 3.1 and 5.61 respectively), but that older versions as well as the recent versions of SunOS (up to version 4.0.3) have exploitable features in sendmail. In general, it is advantageous run the most recent version of an operating system. Patches for most versions and flavors of UNIX are available (call your vendor or CIAC), and should be installed on every system to close this avenue of attack! (Refer to CIAC bulletin A-16) 3. There is also a well-known problem with finger in less recent versions of UNIX. Attackers continue to exploit this vulnerability. Obtain and install the patch for this bug! (Call your vendor or CIAC for the availability of a patched version.) 4. Attackers are using ftp to steal system files, especially when a system is running ftp with an anonymous login. Running the most recent version of ftp and configuring ftp properly will take care of this problem. SunOS 4.0.3 and the most recent versions of ULTRIX and BSD UNIX contain the correct patches. However, it is important to follow the instructions provided with the operating system to properly configure the files available through anonymous ftp (e.g., file permissions, ownership, group, etc.). Note especially that you should not use your regular password file for the one ftp will use. 5. Programs such as telnet, su and login are being replaced by trojan horse programs. We recommend that you compare files currently available on your machines with those obtained from original distribution tapes of the operating system. 6. Intruders have been leaving files and directories with both usual and unusual names such as ".mail", ".. "(dot dot space space), "...", "h" and "k." These files may be found in the home directories of compromised accounts or in /tmp or /usr/tmp. Also assure that any ".rhost" files in user accounts are authorized and have not been planted by the attacker. 7. Some intruders continue to remove entries from /etc/utmp, etc/wtmp and usr/admin/lastlog to mask their presence. You may notice a corrupted or invalid system log file, or notice that a logfile has been reduced in size for an unexplained reason. Should you find this activity, please call CIAC immediately. 8. Once an intruder has compromised your system, a backdoor may be introduced through the introduction of scripts that set the user id to root (setuid scripts). You should use the "find" command to verify that all such scripts are authorized. 9. The intruder may attempt to leave an additional account on the system to be used at a later time. Check your password file to assure that all accounts are authorized and properly passworded. Look especially for any unauthorized root accounts (where the user id is 0). If you have a password checking program, check the passwords on your system to assure that there are no easily guessed passwords or unpassworded accounts. For information on how to obtain such a checker, please contact CIAC. 10. If you use terminal servers on your network (such as ANNEX terminal servers), these may be used by the intruder to access other hosts on your network. Follow the instructions for the terminal server to provide any available auditing capability, and assure that access to the server is controlled with passwords. Access to a terminal server is equivalent to access to your network. Final note: since a primary result of a successful attack is the theft of the password file, all account passwords on a successfully attacked machine should be immediately changed. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 FAX: (415) 423-0913 or (415) 422-4294 CIAC's phone number is (415) 422-8193. You may also send e-mail to: [email protected] This bulletin is partially based on information supplied by the Computer Emergency Response Team Coordination Center. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.
	To the best of our knowledge, the text on this page may be freely reproduced and distributed. If you have any questions about this, please check out our Copyright Policy. totse.com certificate signatures
	About \| Advertise \| Bad Ideas \| Community \| Contact Us \| Copyright Policy \| Drugs \| Ego \| Erotica FAQ \| Fringe \| Link to totse.com \| Search \| Society \| Submissions \| Technology

Hot Topics

	R. A. Salvatore
	Reading childrens books weird?
	What are you currently reading?
	How often do you read?
	Would you let your novel become a movie?
	Penguin and Barnes and Noble, fleecing customer?
	Chuck Palahniuk
	What does reading mean for you?


	Sponsored Links Ads presented by the AdBrite Ad Network

TSHIRT HELL T-SHIRTS