________________________________________________________________________

               THE COMPUTER INCIDENT ADVISORY CAPABILITY



                                 CIAC



                          ADVISORY  NOTICE

________________________________________________________________________



UNIX Internet Attack Advisory



February 23, 1990, 1500 PST                                     Number A-19

 

CIAC has learned of a large number of attacks on UNIX machines connected to the

Internet.   There are several groups of attackers using a variety of different

methods to break into systems.  One method is to use tftp to steal the password

file.  Another is to use sendmail to append additional entries onto .rhost

files.  Still another is to login to unpassworded system accounts and "Joe"

accounts (in which the username and password are identical).  Many of the

attackers then exploit unpatched vulnerabilities to obtain root privileges.

Using the root account, some have installed a modified version of /bin/login.

Modifications to /etc/utmp, /etc/wtmp, and /usr/adm/lastlog have also been made

to mask the intrusion.    The motivation for intrusion largely appears to be use

of machine time rather than destruction of files or damage to systems.

However, cases of malicious activity have also been observed.  This intrusion

activity is widespread, and is usually difficult to detect.



CIAC recommends that you take the following actions:



1. Ensure that you have installed any applicable patches (e.g., for tftp,

restore/ dump, etc.--see previous CIAC bulletins) in your UNIX system.  (CIAC is

currently preparing a checklist to help you verify that you have installed all

the  applicable patches.)

 

2. Regularly perform an integrity check on /bin/login 



3. Check for unpassworded accounts and "Joe" accounts--CIAC can supply DOE sites

with a copy of the Security Profile Inspector, a UNIX password checking tool



4. Look for suspicious connections from the University of Texas and Dartmouth

University



5. Look for strange files in /tmp

 

For additional information or assistance, please contact CIAC: 

 

        David S. Brown

        (415) 423-9878 or (FTS) 543-9878

        FAX: (415) 423-0913 or (415) 294-5054



CIAC's business hours phone number is (415) 422-8193 or (FTS) 532-8193. You may

also send e-mail to:



        ciac@tiger.llnl.gov

 

Neither the United States Government nor the University of California nor any of

their employees, makes any warranty,  expressed or implied, or assumes any legal

liability or responsibility for the accuracy, completeness, or usefulness of any

information, product, or process disclosed, or represents that its use would not

infringe privately owned rights.  Reference herein to any specific commercial

products, process, or service by trade name, trademark manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation, or favoring by the United States Government or the University of

California.  The views and opinions of authors expressed herein do not

necessarily state or reflect those of the United States Government nor the

University of California, and shall not be used for advertising or product

endorsement purposes.