NO RESTRICTIONS
        _____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                           INFORMATION BULLETIN 

		   New Internet Intrusions Detected

February 19, 1992, 1100 PDT	                             Number C-16

________________________________________________________________________
PROBLEM:  A new series of probes and penetrations on systems connected to 
	the Internet has been detected. 
PLATFORM:  Primarily UNIX systems.
DAMAGE: Trojan Horse programs replacing the su, ftp, and ftpd utilities 
	are common, other Trojan Horse programs detected include telnet 
	and login.  Information on penetrated accounts have been posted 
	to public bulletin board systems.
SOLUTIONS:  Verify that the utilities mentioned have not been modified 
	by comparing them with copies on the distribution media.  Also 
	check for the existence of /usr/etc/... (dot, dot, dot), 
	/var/crash/..., /usr/etc/.getwd, /var/crash/.getwd, or /usr/kvw/... 
________________________________________________________________________
	     Critical Information About Internet Intrusions


CIAC has learned of a new series of Internet attacks involving
primarily UNIX systems.  The intruder is using vulnerabilities such as
TFTP (see CIAC bulletin A-19, A-21, B-44, and B-45 for more details)
to obtain copies of the password file on some Internet systems.  The
passwords are then checked to see if any are easily guessed, and if
so, the account is used to gain access to the system.  These attacks
are widespread, and accounts penetrated by these intruders are used to
attack other systems or gain root privilege on the penetrated system.
If the intruder gains root privilege, system binaries for the
utilities su, ftp, and ftpd may be replaced with Trojan Horse versions
that record subsequent passwords entered by legitimate users.  In
addition the intruder may post the username, password, and system name
of the penetrated account to a public bulletin board system.

If you manage a UNIX system connected to the Internet, CIAC recommends
that you verify that the system binaries for the su, ftp, and ftpd
utilities have not been modified.  This can be done by comparing the
binaries to those on the system distribution media or by using a CRC
package such as contained in SPI/UNIX (available at no cost to DOE
sites) to assure that the binaries have not been modified.  Another
indication of this attack is the presence of files ... (dot, dot, dot)
in either the /usr/etc, /var/crash, or /usr/kvw directories or the
file .getwd in the /usr/etc/ or /var/crash directories.

Other indicators of this attack include:

o	Presence of set-uid root shells named .a or wtrunc anywhere on
	the system 
o	Addition of a "+" in the /etc/hosts.equiv file
o	Addition of a .rhosts file in any home directory mentioned in
	the /etc/password file containing the string "+ +" (plus, space, plus)
o	Presence of a set-uid root file /usr/lib/lpx

Should you encounter any of the above mentioned indicators of this
attack, CIAC recommends that you save a copy of the affected files on
tape or other removable media, remove or replace these files with
binaries from the system distribution media, and contact CIAC at the
number listed below.  In addition, all passwords on the system should
be changed.  CIAC recommends that you run the SPI/UNIX or comparable
package to verify that your passwords are robust and system binaries
have not been modified.  Version 2.0 of SPI/UNIX has been released and
is available at no cost to the DOE community.  Contact your local
Computer Security department or CIAC for assistance in obtaining or
installing this product.

For additional information or assistance, please contact CIAC:

	Tom Longstaff
	(510) 423-4416/(FTS) 543-4416
	longstaf@llnl.gov

Call CIAC at (510) 422-8193/(FTS) 532-8193 or send e-mail to
ciac@llnl.gov.  FAX messages to: (510) 423-8002/(FTS) 543-8002.

Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).  

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

The Computer Emergency Response Team/Coordination Center (CERT/CC)
provided some of the information used in this bulletin.  Neither the
United States Government nor the University of California nor any of
their employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.