what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

assist.235

assist.235
Posted Sep 23, 1999

assist.235

SHA-256 | 09d054d189c8806952c2e520af79f3d7d1fa83ad43d14bea116ca0099de970f4
Download | Favorite | View

assist.235

Change Mirror Download
PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER
{IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,228/DS-SIM {DCPO}
SUBJ:  COMPROMISES OF UNIX BASED SYSTEMS {AUTOMATED SYSTEMS SECURITY
INCIDENT SUPPORT TEAM {ASSIST} 92-35}
1.  DISCUSSION:  THIS IS A PRIORITY ALERT THAT INTERRUPTS THE
SEQUENCE OF THE BASELINE PACKAGE OF MESSAGES CURRENTLY BEING ISSUED
BY ASSIST.  SEVERAL COMPROMISED SYSTEMS HAVE BEEN DISCOVERED AT U.S
GOVERNMENT DATA CENTERS.  YOU ARE ADVISED TO PASS THIS MEMO ALONG
TO OTHER SYSTEM MANAGERS AS WELL AS YOUR MANAGEMENT SO THAT AS MANY
PEOPLE CAN BE INFORMED AS POSSIBLE.  THE ATTACKS ARE TAKING THE FORM
OF TROJAN-HORSE VERSIONS OF THE  /BIN/LOGIN PROGRAM REPLACING THE
ACTUAL PROGRAM THAT IS PART OF UNIX.  THE ACTIVITY APPEARS TO HAVE
BEEN OCCURING FOR AT LEAST THE LAST 2 WEEKS.  COMPROMISED SYSTEMS
PROVIDE AN UNAUTHORIZED USER WITH THE ABILITY TO ACCESS A ROOT SHELL
ON YOUR SYSTEM WHILE 
EFFECTIVELY REMAINING 'INVISIBLE'.  THE PROCESS DOES NOT SHOW UP ON
NORMAL USER DISPLAYS, AND NO ENTRIES ARE MADE TO THE LOG FILE.
2.  WHILE NOT A FULL SIGNATURE, THE FOLLOWING PROVIDES SOME THINGS
TO LOOK  FOR:
A. CHECK THE REVISION DATE OF /BIN/LOGIN USING THE COMMAND:  
LS -LC /BIN/LOGIN  {NOTE: USR "LS -LC" NOT "LS -L"}
BE SUSPICIOUS OF A RECENT REVISION DATE. NOTE HOWEVER, THAT IT IS
EASY TO SPOOF THE REVISION DATE, AND SOME COMPROMISED SYSTEMS HAVE
HAD THIS HAPPEN TO THEM. HOWEVER, IF YOU CAN VERIFY THE REVISION
DATE AGAINST THE FILE ON YOUR ORIGINAL O/S MEDIA, THIS MIGHT PROVIDE
A FIRST-ALERT TO A PROBLEM.
B. WHEN LOGGING IN, THE /BIN/LOGIN PROGRAM NORMALLY PRODUCES THE
FOLLOWING PROMPT:
"PASSWORD:"  {NOTE, CAPITAL "P", AND NO SPACE AFTER THE COLON} SOME
COMPROMISED VERSIONS OF /BIN/LOGIN PRESENT THEMSELVES TO THE USER
BY PROMPTING WITH EITHER "PASSWORD:" OR "PASSWORD: ".
C. CHECK FOR THE EXISTANCE OF THE FILE /VAR/SPOOL/SECRETMAIL/.L OR
/USR/SPOOL/SECRETMAIL/.L.  THIS FILE IS NOT PART OF NORMAL UNIX,
AND IF PRESENT, INDICATES THE EXISTANCE OF A TROJAN HORSE
/BIN/LOGIN.
3.  THE ABOVE STEPS WILL PROVIDE A PRELIMINARY IDENTIFICATION OF
NODES THAT ARE AFFECTED. HOWEVER, NODES NOT EXHIBITING THE PREVIOUS
INDICATIONS COULD STILL BE AT RISK.  IT IS BELIEVED THAT THE
TROJAN-HORSE COPY OF /BIN/LOGIN HAS BEEN ALTERED SUCH THAT IT STILL
CHECKSUMS TO THE CORRECT VALUE.  YOU ARE STRONGLY ENCOURAGED TO
CHECK EVERY UNIX MACHINE AT YOUR CENTER FOR THE ABOVE ATTRIBUTES.
FURTHER, IT IS STRONGLY RECOMMENDED THAT ALL SITES WITH HOSTS.EQUIV
FILES ENSURE THAT THE FILE DOES NOT CONTAIN A LINE THAT CONSISTS OF
NOTHING BUT A "+".  THIS WOULD ALLOW SOMEONE WHO PENETRATES THE ROOT
ACCOUNT ON ANY OTHER MACHINE [ANYWHERE] ON THE INTERNET TO RLOGIN
AS ROOT ON YOUR NODE.  IT IS SUSPECTED THAT THIS MECHANISM IS BEING
USED IN SOME OF THE INSTANCES CURRENTLY BEING REPORTED. IT IS
FURTHER SUGGESTED THAT SITES RUN THE SECURITY PROGRAMS CONTAINED IN
THE COPS {V1.04} SOFTWARE WHICH WAS DEVELOPED TO HELP IDENTIFY
COMMON UNIX SECURITY PROBLEMS. THIS SOFTWARE IS AVAILABLE VIA
ANONYMOUS FTP FROM CERT.ORG {192.88.209.5} IN THE DIRECTORY
{TILDA}/PUB/COPS/1.04.
4.  IF AFTER PERFORMING THE ABOVE STEPS, ANY SYSTEMS ARE FOUND TO
BE  AFFECTED AS DESCRIBED, THE SYSTEM ADMINISTRATOR SHOULD PERFORM
THE FOLLOWING STEPS:
A. MAKE A BACKUP OF YOUR CURRENT SYSTEM. LABEL EACH TAPE AND HAVE
THE PERSON WHO MADE THE BACKUP PUT THEIR SIGNATURE ON THE LABEL. 
THIS SAME PERSON SHOULD THEN STORE THE TAPE IN A SECURE {I.E.
"LOCKED"} LOCATION UNTIL FURTHER NOTICE.
B. REPLACE ALL OPERATING SYSTEM FILES WITH THOSE FROM A TRUSTED
BACKUP OR FROM ORIGINAL DISTRIBUTION MEDIA.
C. PLEASE REPORT ANY INCIDENCES OF AFFECTED SYSTEMS TO ASSIST AS
WELL AS YOUR LOCAL MANAGEMENT. THE CENTER COMPUTER SECURITY
OFFICIALS SHOULD BE APPRISED OF THE EXTENT OF AFFECTED SYSTEMS. 
D. KEEP RECORDS OF WHICH SYSTEMS WERE AFFECTED, AND OF THE
WORK-HOURS REQUIRED TO BACKUP, ERRADICATE, AND REPORT THIS PROBLEM.
THE LOGS MAY BE REQUIRED LATER.
5.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL AT
"DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close