The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #332 [a non-viral incident] (1 message, 814 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/332.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: brand@lll-crg.llnl.gov (Russell Brand)
To: phage
Date: Mon 21:06:10 05/12/1988 EST
Subject: a non-viral incident
References: [Thread Prev: 336] [Thread Next: 333] [Message Prev: 331] [Message Next: 333]


The following statement is being relased by llnl:

llnl has observed unusual network behavior on a small number of
unclassified computers at LLNL and other locations.

We have determined that at least 5 llnl and 5 non-llnl systems were
entered without authorization.

An unauthorized user copied and modified password files to insert an
extra privileged user account and attempted to alter system programs.
The unauthorized user modified system dates apparently to confuse
auditing and accouting facilities.

This incident was quickly noticed at LLNL by staff programmers who are
taking protective actions and have notified other sites that were
affected so that they can also take appropriate protective measures.

Normal operations were quickly restored.  LLNL continues to monitor the
situation.  This attack appears unrelated other recent incidents and
does not involve a worm/virus program.



- - - -

If people could look to see if thre are any copies of password files
living in guest accounts, ~ftp, ~uucp accounts with no indication of
how they got or strange changes in system date,  (more than a day than
changed back) please let me know.

-tiredly

wuthel
brand@lll-crg.llnl.gov

END OF DOCUMENT