FOR OFFICIAL DOE USE ONLY--DO NOT DISTRIBUTE OUTSIDE OF DOE
________________________________________________________________________
              THE COMPUTER INCIDENT ADVISORY CAPABILITY

                                 CIAC

                            ADVISORY NOTICE
________________________________________________________________________

Additional Information on Current UNIX Internet Attacks 

March 16, 1990, 1145 PST                                   Number A-21


This bulletin follows up CIAC Information Bulletin A-19, UNIX Internet Attack
Advisory (notice A-19).   Attacks on UNIX machines connecting to the Internet
persist, and are a very widespread and serious threat.  This bulletin provides
additional information about detecting these attacks and procedures to follow to
decreasing the likelihood of attack.  This information specifically concerns
SUN, ULTRIX, and BSD UNIX systems, but may be useful to system managers of other
UNIX platforms.  Even if you think systems are your site are not being attacked,
it is important to recheck for evidences of intrusions and to adopt additional
precautionary measures.   
 
1.  Intruders are using tftp to obtain password files.  If possible use 
        tftbootd in place of tftp.

2.  The sendmail function has several problems which intruders can exploit. 
        CIAC has been informed that sendmail is secure in the latest version of 
        Ultrix and BSD  (versions 3.1 and 5.61 respectively), but that older 
        versions as well as the recent versions of SunOS (up to version 4.0.3) 
        have exploitable features in sendmail.  In general, it is advantageous 
        run the most recent version of an operating system.  Patches for most 
        versions and flavors of UNIX are available (call your vendor or 
        CIAC), and should be installed on every system to close this avenue
        of attack!   (Refer to CIAC bulletin A-16)

3.  There is also a well-known problem with finger in less recent versions 
        of UNIX.  Attackers continue to exploit this vulnerability.  Obtain and 
        install the patch for this bug!  (Call your vendor or CIAC for the 
        availability of a patched version.)

4.  Attackers are using ftp to steal system files, especially when a system 
        is running ftp with an anonymous login.  Running the most recent version
        of ftp and configuring ftp properly will take care of this problem.  
        SunOS 4.0.3 and the most recent versions of ULTRIX and BSD UNIX contain 
        the correct patches.  However, it is important to follow the 
        instructions provided with the operating system to properly configure 
        the files available through anonymous ftp (e.g., file permissions, 
        ownership, group, etc.).  Note especially that you should not use 
        your regular password file for the one ftp will use.  

5.  Programs such as telnet, su and login are being replaced by trojan horse
        programs.  We recommend that you compare files currently available on 
        your machines with those obtained from original distribution tapes of 
        the operating system.
 
6.  Intruders have been leaving files and directories with both usual and 
        unusual names such as ".mail", "..  "(dot dot space space), "...", "h"
        and "k."  These files may be found in the home directories of 
        compromised accounts or in /tmp or /usr/tmp.  Also assure that any 
        ".rhost" files in user accounts are authorized and have not been 
        planted by the attacker. 

7.  Some intruders continue to remove entries from /etc/utmp, etc/wtmp and
        usr/admin/lastlog to mask their presence.  You may notice a corrupted or
        invalid system log file, or notice that a logfile has been reduced in  
        size for an unexplained reason.  Should you find this activity, please 
        call CIAC immediately.

8.  Once an intruder has compromised your system, a backdoor may be  
        introduced through the introduction of scripts that set the user id 
        to root (setuid scripts).  You should use the "find" command to 
        verify that all such scripts are authorized.

9.  The intruder may attempt to leave an additional account on the system 
        to be used at a later time.  Check your password file to assure that all
        accounts are authorized and properly passworded.  Look especially for 
        any unauthorized root accounts (where the user id is 0).  If you have a
        password checking program, check the passwords on your system to assure
        that there are no easily guessed passwords or unpassworded accounts. 
        For information on how to obtain such a checker, please contact CIAC.

10.  If you use terminal servers on your network (such as ANNEX terminal
        servers), these may be used by the intruder to access other hosts on 
        your network.  Follow the instructions for  the terminal server to 
        provide any available auditing capability, and assure that access to the
        server is controlled with passwords.  Access to a terminal server is 
        equivalent to access to your network.

Final note:  since a primary result of a successful attack is the theft of the
password file, all account passwords on a successfully attacked machine should
be immediately changed.

For additional information or assistance, please contact CIAC: 
 
  Tom Longstaff
  (415) 423-4416 or (FTS) 543-4416
  FAX: (415) 423-0913 or (415) 422-4294

CIAC's phone number is (415) 422-8193.  You may also send e-mail to:

  ciac@tiger.llnl.gov

This bulletin is partially based on information supplied by the Computer
Emergency Response Team Coordination Center.   Neither the United States
Government nor the University of California nor any of their employees, makes
any warranty,  expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any information,
product, or process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or otherwise, does
not necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.