ciac-11.unix-telnet-trojan-horse
e2de1c3fc6e4b7a8c11344dc4d1256bc9f006cad19314b8040031c9f26e140ee
________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
ADVISORY NOTICE
________________________________________________________________
NOTICE OF TROJAN HORSE PROGRAM AFFECTING COMPUTERS ON THE
INTERNET USING TELNET
The DOE Computer Incident Advisory Capability (CIAC) has learned of the
presence of a trojan horse program spreading over the Internet. This program
has caused unauthorized system activity on several computers that run Telnet.
The bogus Telnet program logs outgoing login sessions (including user names and
passwords). This problem could extend to any version of Telnet for which an
attacker has the source code. Currently, only UNIX systems have been affected,
though any system to which an attacker can gain access could be affected in the
future.
Historically, attackers have logged pertinent information to directory names
such as "..." and ".mail". To determine if your Telnet program has been
affected, however, you could use a search command (e.g., "strings" command for
UNIX) on these directory name strings. However, attackers may not elect to use
the same directory name strings in the future, since an attacker can change the
logging directory when compiling the trojan horse program. Therefore, CIAC
recommends that you periodically use one of the following methods to determine
if the trojan horse has replaced your Telnet program:
1) Compare the size of an original Telnet file to the installed version.
A difference in size would indicate the installed version has been modified and
should be checked.
2) Compare the original Telnet source code and the version installed on
your particular system using a comparison program (e.g., DIFF, SUM or CMP) to
identify modifications to the installed version.
3) Use the command:
strings `which telnet` |grep / | grep -v \@\(\#\) | grep -v on/off
You will obtain all of the absolute pathnames (i.e., filenames that have an
explicit directory component) that were not specifically constructed to
protect against comparison tests. Normally these filenames are:
/etc/services
/etc/hosts
(Note: this test is a "quick and dirty" way of testing for the trojan
horse program. It eliminates the need to load a "clean copy" from tape
to perform more extensive but more thorough comparison tests.)
If you discover you have been affected by the trojan horse program, it will
be necessary to:
1) remove any log files that had been made by the program,
2) change all passwords on all your machines, because the trojan horse
program catches passwords for breakins into other machines, and
3) reinstall a clean version of the Telnet program.
In addition, if you have been affected by this trojan horse program, you
can help CIAC reach others who have also been affected but may not yet
realize that their systems have this problem. Please inform CIAC of:
1) what files the bogus program has created, and 2) the contacts coming
into the affected machine(s). Note: you can obtain a listing of these
contacts by using the UNIX 'last' command. If you have been affected or if
you need further information, please contact Gene Schultz, CIAC Manager, at
(415) 422-8193 or (FTS) 532-8193 or send e-mail to:
gschultz%nsspa@icdc.llnl.gov.
or
ciac@tiger.llnl.gov