TUCoPS :: General Information :: al200003.txt

AusCERT Alert 2000.03 Current Widespread Intruder Activity

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2000.03  --  AUSCERT ALERT
                    Current Widespread Intruder Activity
                                02 March 2000

===========================================================================

PROBLEM:  

	  AusCERT has received numerous reports of root compromises within
	  Australia which have a common intruder signature.

	  As these recent compromises are widespread and moderately easy
	  to detect, AusCERT is releasing information on this intruder's
	  "signature" to enable System Administrators to detect if their
	  systems have been compromised by this intruder.

	  While it is easily possible for the intruder(s) to change their
	  modus operandi we still believe this information will be
	  beneficial to some sites in the interim.

PLATFORM: 
          
	  So far only Unix based platforms have been affected using known
          vulnerabilities.


IMPACT:   

	  Unix systems are being root compromised and used to scan/probe
	  other networks. Password sniffers have also been reported as
	  being installed to gather other account information.


RECOMMENDATIONS: 

          System Administrators are urged to check their systems for
          processes like "./k -o com.au" and "./scan -s". User accounts
          named "hc" and "hantu" are typically installed with home
          directories in /home/hu and /home/hantu. Various files are
          stored in the home directories and in other locations such
	  as /dev.

          Some files to look for on your system are:
            .s, /tmp/h, bj.c, /usr/bin/old, com.log, net.log,
            /dev/.imapshit

          The intruder typically installs a trojaned /bin/login.

          Also the intruder typically does not clean up after a compromise
          so the intrusions are relatively easy to detect.

          If you suspect that your site may have been compromised, we
          recommend you read:

            http://www.cert.org/tech_tips/intruder_detection_checklist.html

          If your site has been compromised, we recommend you read:

            http://www.cert.org/tech_tips/root_compromise.html

	  AusCERT is currently monitoring this problem, if you detect your
	  systems have been compromised please contact AusCERT.  We are
	  currently tracking this incident as AUSCERT#97913.  We would
	  appreciate you using this tracking code in the subject of any
	  email you send regarding this incident.

	  In addition, we are interested in eliciting your feedback
	  regarding this type of alert.  We realise that intrusions are
	  commonplace and that there is not a great deal of new technical
	  detail in this alert because it needed to be released in a timely
	  manner.  We would appreciate it if you could let us know whether
	  this type of alert (that is, current activity with some
	  information regarding modus operandi) is something you would
	  like us to continue to report.

- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOMy1/Sh9+71yA2DNAQFYMwP7Bq4r1qrRPOeabAZN5Rv1z0zoz2sm8XE/
gBJM5lqZ9CABzmNMIZcw9cM2N+pRJeoOM9Vi0wCW3WwppQhc3WBv7dX6pR5bclDg
hsfVCx1WcFZNwIvEM3rtS+oNgRwOzq2wkZwfnVsGd5IQ4Ez3JBi4oC5Vo+XFlSKI
5eBVX5YJMHM=
=aDbE
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH