NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN New Internet Intrusions Detected February 19, 1992, 1100 PDT Number C-16 ________________________________________________________________________ PROBLEM: A new series of probes and penetrations on systems connected to the Internet has been detected. PLATFORM: Primarily UNIX systems. DAMAGE: Trojan Horse programs replacing the su, ftp, and ftpd utilities are common, other Trojan Horse programs detected include telnet and login. Information on penetrated accounts have been posted to public bulletin board systems. SOLUTIONS: Verify that the utilities mentioned have not been modified by comparing them with copies on the distribution media. Also check for the existence of /usr/etc/... (dot, dot, dot), /var/crash/..., /usr/etc/.getwd, /var/crash/.getwd, or /usr/kvw/... ________________________________________________________________________ Critical Information About Internet Intrusions CIAC has learned of a new series of Internet attacks involving primarily UNIX systems. The intruder is using vulnerabilities such as TFTP (see CIAC bulletin A-19, A-21, B-44, and B-45 for more details) to obtain copies of the password file on some Internet systems. The passwords are then checked to see if any are easily guessed, and if so, the account is used to gain access to the system. These attacks are widespread, and accounts penetrated by these intruders are used to attack other systems or gain root privilege on the penetrated system. If the intruder gains root privilege, system binaries for the utilities su, ftp, and ftpd may be replaced with Trojan Horse versions that record subsequent passwords entered by legitimate users. In addition the intruder may post the username, password, and system name of the penetrated account to a public bulletin board system. If you manage a UNIX system connected to the Internet, CIAC recommends that you verify that the system binaries for the su, ftp, and ftpd utilities have not been modified. This can be done by comparing the binaries to those on the system distribution media or by using a CRC package such as contained in SPI/UNIX (available at no cost to DOE sites) to assure that the binaries have not been modified. Another indication of this attack is the presence of files ... (dot, dot, dot) in either the /usr/etc, /var/crash, or /usr/kvw directories or the file .getwd in the /usr/etc/ or /var/crash directories. Other indicators of this attack include: o Presence of set-uid root shells named .a or wtrunc anywhere on the system o Addition of a "+" in the /etc/hosts.equiv file o Addition of a .rhosts file in any home directory mentioned in the /etc/password file containing the string "+ +" (plus, space, plus) o Presence of a set-uid root file /usr/lib/lpx Should you encounter any of the above mentioned indicators of this attack, CIAC recommends that you save a copy of the affected files on tape or other removable media, remove or replace these files with binaries from the system distribution media, and contact CIAC at the number listed below. In addition, all passwords on the system should be changed. CIAC recommends that you run the SPI/UNIX or comparable package to verify that your passwords are robust and system binaries have not been modified. Version 2.0 of SPI/UNIX has been released and is available at no cost to the DOE community. Contact your local Computer Security department or CIAC for assistance in obtaining or installing this product. For additional information or assistance, please contact CIAC: Tom Longstaff (510) 423-4416/(FTS) 543-4416 longstaf@llnl.gov Call CIAC at (510) 422-8193/(FTS) 532-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002/(FTS) 543-8002. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. The Computer Emergency Response Team/Coordination Center (CERT/CC) provided some of the information used in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.