assist.235
09d054d189c8806952c2e520af79f3d7d1fa83ad43d14bea116ca0099de970f4
PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER
{IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,228/DS-SIM {DCPO}
SUBJ: COMPROMISES OF UNIX BASED SYSTEMS {AUTOMATED SYSTEMS SECURITY
INCIDENT SUPPORT TEAM {ASSIST} 92-35}
1. DISCUSSION: THIS IS A PRIORITY ALERT THAT INTERRUPTS THE
SEQUENCE OF THE BASELINE PACKAGE OF MESSAGES CURRENTLY BEING ISSUED
BY ASSIST. SEVERAL COMPROMISED SYSTEMS HAVE BEEN DISCOVERED AT U.S
GOVERNMENT DATA CENTERS. YOU ARE ADVISED TO PASS THIS MEMO ALONG
TO OTHER SYSTEM MANAGERS AS WELL AS YOUR MANAGEMENT SO THAT AS MANY
PEOPLE CAN BE INFORMED AS POSSIBLE. THE ATTACKS ARE TAKING THE FORM
OF TROJAN-HORSE VERSIONS OF THE /BIN/LOGIN PROGRAM REPLACING THE
ACTUAL PROGRAM THAT IS PART OF UNIX. THE ACTIVITY APPEARS TO HAVE
BEEN OCCURING FOR AT LEAST THE LAST 2 WEEKS. COMPROMISED SYSTEMS
PROVIDE AN UNAUTHORIZED USER WITH THE ABILITY TO ACCESS A ROOT SHELL
ON YOUR SYSTEM WHILE
EFFECTIVELY REMAINING 'INVISIBLE'. THE PROCESS DOES NOT SHOW UP ON
NORMAL USER DISPLAYS, AND NO ENTRIES ARE MADE TO THE LOG FILE.
2. WHILE NOT A FULL SIGNATURE, THE FOLLOWING PROVIDES SOME THINGS
TO LOOK FOR:
A. CHECK THE REVISION DATE OF /BIN/LOGIN USING THE COMMAND:
LS -LC /BIN/LOGIN {NOTE: USR "LS -LC" NOT "LS -L"}
BE SUSPICIOUS OF A RECENT REVISION DATE. NOTE HOWEVER, THAT IT IS
EASY TO SPOOF THE REVISION DATE, AND SOME COMPROMISED SYSTEMS HAVE
HAD THIS HAPPEN TO THEM. HOWEVER, IF YOU CAN VERIFY THE REVISION
DATE AGAINST THE FILE ON YOUR ORIGINAL O/S MEDIA, THIS MIGHT PROVIDE
A FIRST-ALERT TO A PROBLEM.
B. WHEN LOGGING IN, THE /BIN/LOGIN PROGRAM NORMALLY PRODUCES THE
FOLLOWING PROMPT:
"PASSWORD:" {NOTE, CAPITAL "P", AND NO SPACE AFTER THE COLON} SOME
COMPROMISED VERSIONS OF /BIN/LOGIN PRESENT THEMSELVES TO THE USER
BY PROMPTING WITH EITHER "PASSWORD:" OR "PASSWORD: ".
C. CHECK FOR THE EXISTANCE OF THE FILE /VAR/SPOOL/SECRETMAIL/.L OR
/USR/SPOOL/SECRETMAIL/.L. THIS FILE IS NOT PART OF NORMAL UNIX,
AND IF PRESENT, INDICATES THE EXISTANCE OF A TROJAN HORSE
/BIN/LOGIN.
3. THE ABOVE STEPS WILL PROVIDE A PRELIMINARY IDENTIFICATION OF
NODES THAT ARE AFFECTED. HOWEVER, NODES NOT EXHIBITING THE PREVIOUS
INDICATIONS COULD STILL BE AT RISK. IT IS BELIEVED THAT THE
TROJAN-HORSE COPY OF /BIN/LOGIN HAS BEEN ALTERED SUCH THAT IT STILL
CHECKSUMS TO THE CORRECT VALUE. YOU ARE STRONGLY ENCOURAGED TO
CHECK EVERY UNIX MACHINE AT YOUR CENTER FOR THE ABOVE ATTRIBUTES.
FURTHER, IT IS STRONGLY RECOMMENDED THAT ALL SITES WITH HOSTS.EQUIV
FILES ENSURE THAT THE FILE DOES NOT CONTAIN A LINE THAT CONSISTS OF
NOTHING BUT A "+". THIS WOULD ALLOW SOMEONE WHO PENETRATES THE ROOT
ACCOUNT ON ANY OTHER MACHINE [ANYWHERE] ON THE INTERNET TO RLOGIN
AS ROOT ON YOUR NODE. IT IS SUSPECTED THAT THIS MECHANISM IS BEING
USED IN SOME OF THE INSTANCES CURRENTLY BEING REPORTED. IT IS
FURTHER SUGGESTED THAT SITES RUN THE SECURITY PROGRAMS CONTAINED IN
THE COPS {V1.04} SOFTWARE WHICH WAS DEVELOPED TO HELP IDENTIFY
COMMON UNIX SECURITY PROBLEMS. THIS SOFTWARE IS AVAILABLE VIA
ANONYMOUS FTP FROM CERT.ORG {192.88.209.5} IN THE DIRECTORY
{TILDA}/PUB/COPS/1.04.
4. IF AFTER PERFORMING THE ABOVE STEPS, ANY SYSTEMS ARE FOUND TO
BE AFFECTED AS DESCRIBED, THE SYSTEM ADMINISTRATOR SHOULD PERFORM
THE FOLLOWING STEPS:
A. MAKE A BACKUP OF YOUR CURRENT SYSTEM. LABEL EACH TAPE AND HAVE
THE PERSON WHO MADE THE BACKUP PUT THEIR SIGNATURE ON THE LABEL.
THIS SAME PERSON SHOULD THEN STORE THE TAPE IN A SECURE {I.E.
"LOCKED"} LOCATION UNTIL FURTHER NOTICE.
B. REPLACE ALL OPERATING SYSTEM FILES WITH THOSE FROM A TRUSTED
BACKUP OR FROM ORIGINAL DISTRIBUTION MEDIA.
C. PLEASE REPORT ANY INCIDENCES OF AFFECTED SYSTEMS TO ASSIST AS
WELL AS YOUR LOCAL MANAGEMENT. THE CENTER COMPUTER SECURITY
OFFICIALS SHOULD BE APPRISED OF THE EXTENT OF AFFECTED SYSTEMS.
D. KEEP RECORDS OF WHICH SYSTEMS WERE AFFECTED, AND OF THE
WORK-HOURS REQUIRED TO BACKUP, ERRADICATE, AND REPORT THIS PROBLEM.
THE LOGS MAY BE REQUIRED LATER.
5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55. ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED. ASSIST CAN BE REACHED VIA E-MAIL AT
"DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."