The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #358 [Stock message] (1 message, 2286 bytes)
NOTICE: recognises the rights of all third-party works.


From: Mark Poepping <[email protected]>
To: [not phage]
Date: Fri 18:39:36 09/12/1988 EST
Subject: Stock message
References: [Thread Prev: 354] [Thread Next: 357] [Message Prev: 355] [Message Next: 357]

Here's a reworded message based on suggestions from Keith Bostic.
Changes include:
	- slight reword on the heading, we gathered this stuff from
		several sources (primarily Russell Brand and the
		examples are courtesy of Gene Spafford).
	- be sure the debug option is DISABLED on sendmail
	- reword item two just in case people though like maybe they
		should delete the root account too..
	- reword item six since it wasn't too clear what we were
		getting at, though after some discussion, Keith did
		agree that it IS necessary to do local authentication
		before allowing access outside the local network.
	- Item 7 is a rumor, perhaps driven from a breakin which added
		a trap door using an unpassworded account.  I think it's
		ok to leave it in.  I'm open to suggestion.
Remember, the message is meant for a wide audience with varying backgrounds.
All comments are truly appreciated, we need to be sure we are accurately
representing the best information.
mark poepping
[email protected]


There have been several problems or attacks which have occurred in the
past few weeks.  In order to help secure your systems we have gathered
the following suggestions:

        1) Check that you are using version 5.59 of sendmail with the
	   debug option DISABLED.  To verify the version try the following
	   commands.  Use the telnet program to connect to your mail server.
	   Telnet to your hostname or localhost with 25 following the host.
           The sendmail program will print a banner which will have the
           version number in it.  You need to be running version 5.59.
           Version 5.61 will be released on Monday 12/12/1988.  Any
           version less than 5.59 is a security problem.

           The following is a sample of the telnet command.

% telnet localhost 25
Connected to localhost.SEI.CMU.EDU.
220 Sendmail 5.59 ready at Wed, 7 Dec 88 15:45:55 EST
221 closing connection
Connection closed by foreign host.

        2) Verify with your systems support staff that the ftpd program
           patches have been installed.  Removing anonymous ftp is now
           known to NOT plug all security holes.  If you are not sure,
           ftp to, login as anonymous password ftp
           and get ftpd.shar.  This file contains the sources to the
           latest BSD release of the ftpd program.

        3) Check your /etc/passwd file for bogus entries.  Look for
           unauthorized accounts with the uid field set to zero (only
	   the root account should have uid=0).  Remove any unauthorized
           entries.  The following is an example of what you might find.


  	   To check your /etc/passwd files for spurious accounts with uid 0,
           you can use the following awk program:

% awk -F: '$3 == 0 {print $0}' /etc/passwd

	   If you are running YP on your machine, do:

% ypcat passwd | awk [ above]

        4) Look for modified /bin/login and /usr/ucb/telnet files.
           Several sites have found these programs with new "backdoors"
           added.  Use the strings program to search /bin/login for the
           strings OURPW, knaobj, and knaboj.  If in doubt, reload the
           /bin/login and /usr/ucb/telnet executables from your
           distribution tape.

% strings  /bin/login | egrep '(OURPW|knaboj|knaobj)'

        5) Educate your users to create hard to guess passwords.  Account
           codes, first or last names, and common words are not very
           secure passwords.  A few examples of common words are words
           that refer to your town, location, or company and words that
           are found in /usr/dict/words.  Be especially careful of accounts
           where the password is the account name (easy to check, easy to

        6) In general, before you allow a user access to the Internet,
	   you must be sure you know who they are.  In other words, all
	   users should be forced through a login/password sequence
	   (no unpassworded accounts and preferably someplace which logs
	   connections) before you let them get outside your local network.
	   Be especially careful with TCP/IP terminal servers.

        7) check the last logs for normal logins as accounts which normally
           run utility programs (sync, who, etc), watch for unreasonable
           times..  watch for ftp's with funny logins (who, etc).

If you need additional information please call CERT at 412-268-7090.