________________________________________________________________
    THE COMPUTER INCIDENT ADVISORY CAPABILITY

         CIAC

      ADVISORY    NOTICE
________________________________________________________________



      NOTICE OF TROJAN HORSE PROGRAM AFFECTING COMPUTERS ON THE 
                      INTERNET USING TELNET


The DOE Computer Incident Advisory Capability (CIAC) has learned of the
presence of a trojan horse program spreading over the Internet.  This program
has caused unauthorized system activity on several computers that run Telnet.
The bogus Telnet program logs outgoing login sessions (including user names and
passwords). This problem could extend to any version of Telnet for which an
attacker has the source code.  Currently, only UNIX systems have been affected,
though any system to which an attacker can gain access could be affected in the
future. 

Historically, attackers have logged pertinent information to directory names
such as "..." and ".mail".  To determine if your Telnet program has been
affected, however, you could use a search command (e.g., "strings" command for
UNIX) on these directory name strings.  However, attackers may not elect to use
the same directory name strings in the future, since an attacker can change the
logging directory when compiling the trojan horse program.  Therefore, CIAC
recommends that you periodically use one of the following methods to determine
if the trojan horse has replaced your Telnet program: 

    1)  Compare the size of an original Telnet file to the installed version.
A difference in size would indicate the installed version has been modified and
should be checked.
    
    2)  Compare the original Telnet source code and the version installed on
your particular system using a comparison program (e.g., DIFF, SUM or CMP) to 
identify modifications to the installed version.  

    3) Use the command:

  strings `which telnet` |grep / | grep -v \@\(\#\) | grep -v on/off

You will obtain all of the absolute pathnames (i.e., filenames that have an 
explicit directory component) that were not specifically constructed to 
protect against comparison tests.  Normally these filenames are:

  /etc/services
  /etc/hosts

(Note: this test is a "quick and dirty" way of testing for the trojan 
horse program.  It eliminates the need to load a "clean copy" from tape 
to perform more extensive but more thorough comparison tests.)

If you discover you have been affected by the trojan horse program, it will
be necessary to:

     1)  remove any log files that had been made by the program,
     2)  change all passwords on all your machines, because the trojan horse 
         program catches passwords for breakins into other machines, and
     3)  reinstall a clean version of the Telnet program.

In addition, if you have been affected by this trojan horse program, you 
can help CIAC reach others who have also been affected but may not yet 
realize that their systems have this problem.  Please inform CIAC of: 
1) what files the bogus program has created, and 2) the contacts coming 
into the affected machine(s).  Note:  you can obtain a listing of these 
contacts by using the UNIX 'last' command. If you have been affected or if 
you need further information, please contact Gene Schultz, CIAC Manager, at 
(415) 422-8193 or (FTS) 532-8193 or send e-mail to: 

       gschultz%nsspa@icdc.llnl.gov.

  or

       ciac@tiger.llnl.gov