The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #353 [Some warnings] (1 message, 1958 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/353.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Gene Spafford <spaf>
To: phage
Date: Thu 19:44:08 08/12/1988 EST
Subject: Some warnings
References: [Thread Prev: 352] [Thread Next: 355] [Message Prev: 352] [Message Next: 354]

The following is some information being distributed by the CERT related to
the recent rash of machine break-ins.  Following it are some notes I have
added to expand on some of these points.

------- Forwarded Message

Date:    Thu, 08 Dec 88 19:31:36 -0500
Subject: Stock message


There have been several problems or attacks which have occurred in the
past few weeks.  In order to help secure your systems we suggest the
following:

        1) Check that you are using version 5.59 of sendmail.  To
           verify the version try the following commands.  Use the
           telnet program to connect to your mail server.  Telnet
           to your hostname or localhost with 25 following the host.
           The sendmail program will print a banner which will have the
           version number in it.  You need to be running version 5.59.
           Version 5.61 will be released on Monday 12/12/1988.  Any
           version less than 5.59 is a security problem.

           The following is a sample of the telnet command.

% telnet localhost 25
Trying...
Connected to localhost.SEI.CMU.EDU.
220 ed.sei.cmu.edu Sendmail 5.59 ready at Wed, 7 Dec 88 15:45:55 EST
Quit
221 ed.sei.cmu.edu closing connection
Connection closed by foreign host.
%

        2) Verify with your systems support staff that the ftpd program
           patches have been installed.  Removing anonymous ftp is now
           known to NOT plug all security holes.  If you are not sure,
           ftp to ucbarpa.berkeley.edu, login as anonymous password ftp
           and get ftpd.shar.  This file contains the sources to the
           latest BSD release of the ftpd program.

        3) Check your /etc/passwd file for bogus entries.  Look for
           accounts with the uid field set to zero.  Remove these
           entries.  The following is an example of what you might find.

                install::0:1::/:

        4) Look for modified /bin/login and /usr/ucb/telnet files.
           Several sites have found these programs with new "backdoors"
           added.  Use the strings program to search /bin/login for the
           strings OURPW, knaobj, and knaboj.  If in doubt, reload the
           /bin/login and /usr/ucb/telnet executables from your
           distribution tape.

        5) Educate your users to create hard to guess passwords.  Account
           codes, first or last names, and common words are not very
           secure passwords.  A few examples of common words are words
           that refer to your town, location, or company and words that
           are found in /usr/dict/words.  Be especially careful of accounts
           where the password is the account name (easy to check, easy to
           guess.

        6) If you have any TCP/IP terminal servers, they should either
           have password protection or (better yet) be prevented from
           making connections elsewhere in the Internet.

        7) check the last logs for normal logins as accounts which normally
           run utility programs (sync, who, etc), watch for unreasonable
           times..  watch for ftp's with funny logins (who, etc).

If you need additional information please call CERT at 412-268-7090.

------- End of Forwarded Message

To check your /etc/passwd files for spurious accounts with uid 0, you can
use the following awk program:
awk -F: '$3 == 0 {print $0}' /etc/passwd

If you are running YP on your machine, do:
ypcat passwd | awk [...as above]


Run the "strings" program on your /bin/login program.  If you find
any of the following strings in the output, your system has been compromised:
OURPW	knaboj knaobj

One way to do this is:
strings - /bin/login | egrep '(OURPW|knaboj|knaobj)'


If you have an Annex box or other terminal server, make sure access to it
uses passwords.  Some of the people doing the recent breakins have been
dialing in to these and effectively using them as TACs.  This allows
people access to the Internet who shouldn't have such access....


Mr. News,
--spaf

END OF DOCUMENT