FOR OFFICIAL DOE USE ONLY--DO NOT DISTRIBUTE OUTSIDE OF DOE ________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________________ Additional Information on Current UNIX Internet Attacks March 16, 1990, 1145 PST Number A-21 This bulletin follows up CIAC Information Bulletin A-19, UNIX Internet Attack Advisory (notice A-19). Attacks on UNIX machines connecting to the Internet persist, and are a very widespread and serious threat. This bulletin provides additional information about detecting these attacks and procedures to follow to decreasing the likelihood of attack. This information specifically concerns SUN, ULTRIX, and BSD UNIX systems, but may be useful to system managers of other UNIX platforms. Even if you think systems are your site are not being attacked, it is important to recheck for evidences of intrusions and to adopt additional precautionary measures. 1. Intruders are using tftp to obtain password files. If possible use tftbootd in place of tftp. 2. The sendmail function has several problems which intruders can exploit. CIAC has been informed that sendmail is secure in the latest version of Ultrix and BSD (versions 3.1 and 5.61 respectively), but that older versions as well as the recent versions of SunOS (up to version 4.0.3) have exploitable features in sendmail. In general, it is advantageous run the most recent version of an operating system. Patches for most versions and flavors of UNIX are available (call your vendor or CIAC), and should be installed on every system to close this avenue of attack! (Refer to CIAC bulletin A-16) 3. There is also a well-known problem with finger in less recent versions of UNIX. Attackers continue to exploit this vulnerability. Obtain and install the patch for this bug! (Call your vendor or CIAC for the availability of a patched version.) 4. Attackers are using ftp to steal system files, especially when a system is running ftp with an anonymous login. Running the most recent version of ftp and configuring ftp properly will take care of this problem. SunOS 4.0.3 and the most recent versions of ULTRIX and BSD UNIX contain the correct patches. However, it is important to follow the instructions provided with the operating system to properly configure the files available through anonymous ftp (e.g., file permissions, ownership, group, etc.). Note especially that you should not use your regular password file for the one ftp will use. 5. Programs such as telnet, su and login are being replaced by trojan horse programs. We recommend that you compare files currently available on your machines with those obtained from original distribution tapes of the operating system. 6. Intruders have been leaving files and directories with both usual and unusual names such as ".mail", ".. "(dot dot space space), "...", "h" and "k." These files may be found in the home directories of compromised accounts or in /tmp or /usr/tmp. Also assure that any ".rhost" files in user accounts are authorized and have not been planted by the attacker. 7. Some intruders continue to remove entries from /etc/utmp, etc/wtmp and usr/admin/lastlog to mask their presence. You may notice a corrupted or invalid system log file, or notice that a logfile has been reduced in size for an unexplained reason. Should you find this activity, please call CIAC immediately. 8. Once an intruder has compromised your system, a backdoor may be introduced through the introduction of scripts that set the user id to root (setuid scripts). You should use the "find" command to verify that all such scripts are authorized. 9. The intruder may attempt to leave an additional account on the system to be used at a later time. Check your password file to assure that all accounts are authorized and properly passworded. Look especially for any unauthorized root accounts (where the user id is 0). If you have a password checking program, check the passwords on your system to assure that there are no easily guessed passwords or unpassworded accounts. For information on how to obtain such a checker, please contact CIAC. 10. If you use terminal servers on your network (such as ANNEX terminal servers), these may be used by the intruder to access other hosts on your network. Follow the instructions for the terminal server to provide any available auditing capability, and assure that access to the server is controlled with passwords. Access to a terminal server is equivalent to access to your network. Final note: since a primary result of a successful attack is the theft of the password file, all account passwords on a successfully attacked machine should be immediately changed. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 FAX: (415) 423-0913 or (415) 422-4294 CIAC's phone number is (415) 422-8193. You may also send e-mail to: ciac@tiger.llnl.gov This bulletin is partially based on information supplied by the Computer Emergency Response Team Coordination Center. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.