The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V2 #7 1990-02-26 (1 file, 2750 bytes)
NOTICE: recognises the rights of all third-party works.


Date: Mon, 26 Feb 90 00:40:56 PST
Subject: Security Digest V2 #7

Security Digest Volume 2 Issue 7


            Hacker signs
            SunOS pty permissions problem


Date: Mon, 26 Feb 90 00:02:43 EST
From: Gene Spafford <uunet!!spaf>
Subject: Hacker signs

We had a hacker break-in here last week.  I talked with folks in some
of the alphabet agencies about it (I do not like it when people are
snooping though my files!).  Here are some pointers to think about and
check on your systems:

1) Hackers know about this list and have placed a "premium" on getting
copies of the list mailings.  If you have old copies on disk, encrypt
them so that if someone does break in, they can't get them.

[ Please, please, please - neil ]

2) Hackers/crackers are also after copies of source code to the
Internet worm/Wank worm/viruses/etc.  Encrypt or remove any such
source on your system (I keep all such things on removable media.  If
I need to mount it, I remove my machine from the network, first.)

3) Crackers have copies of *very* fast password code.  Some are
advertising password cracking services ("You drop off the password
file and we'll break easy passwords.")  They are capable of checking
over 100 passwords per second on their machines against large
dictionaries.  They don't care if they have to burn a week or so of
cpu time -- they have 386 machines dedicated to this kind of thing.

compromised by accounts with "easy" passwords....and a SunOS 3.5

4) A common trick is to break into your system and then leave
passwords, trap door code, etc in files named "..." or a variant
somewhere on your system.   Try the following as root:
find / -name "...*" -print
Investigate any hits.

5) Common attacks being used these days are:
a) the ftp "user" overwrite attack
b) using ftp or telnet to attach to the rsh/rlogin ports and fake
commands to create openings
c) breaking SunOS "sysdiag"  (evidently there is a hole in sysdiag
that allows you to break out into a root shell -- if sysdiag is on
your system, disable it or remove it).
d) yppasswd overrun or funny character attacks in chfn or yppasswd settings

6) Common backdoors installed:
a) new alias commands in your mailer alias file that run programs to
let them in -- check your aliases
b) planting checks in crontab-run shell files that look for certain
files being present, and if so, copying setuid shells into place
somewhere.  (Check everything run by cron on a regular basis as root)

They also have source code for "login" and "telnetd" and their own
versions.  You should have (offline) a checksum, length and date for
those programs as they appear on your distribution tape.  Check them
periodically for changes.

At least one group of these hackers scribbles over system files and
commands to keep from being spotted, but trashing systems thru

I'm told that some of these guys are under surveillance, and the Feds
aare merely waiting for sufficient evidence to move in.  If your
system has been compromised, don't try to play detective yourselves.
Contact your nearest U.S. Attorney's office and tell them what is
happening (if the attack is over the Internet or a phone line).
Your report may be the necessary extra bit to nail the bastards.
If you don't get any reasonable response, contact me by phone and I
can put you in touch with people who probably will respond.


Date: Wed, 14 Feb 90 11:35:17 I
From: Bill Wisner <uunet!!wisner>

I received this message from a local user today; if it's true (and it
very well may be) it brings up an interesting problem and possibly
something to tell Sun about. (hayes is an SS1 with SunOS 4.0.3.)

Hey guy, you need to recompile login and logout.  People can do the following
and get passwords from people's accounts:

cat </dev/ttyp? &
this will work if the ? is an inactive terminal.  All tty's are apparently set
at ugo+rw prior to someone logging in.  You can add a simple routine to the
logout program that will leave the privs on these tty's as ug+rw and that will
keep most folks out.


Date: Fri, 16 Feb 90 13:03:36 CST
From: uunet!!btk (Bryan Koch)
Subject: SunOS pty permissions problem

I received the following problem report from one of our administrators.
I've looked though past Security Digests and didn't find any references
to this particular problem, and don't recall seeing anything on it elsewhere

Simply changing the permissions on /dev/pty* would mean that
cut/paste wouldn't work on windowed displays.  Any help or suggestions or
pointers will be appreciated.

    While being asked how to prevent getting one's terminal clobbered by
    using the write command, I explained the special file concept and
    thereby discovered that on (SunOS 4.0.3) and also on (SunOS 3.5)
    all available pseudo terminals are owned by root with rw permission
    set for owner, group, and others. Thus it is possible to grab everybody's
    password by simply opening the device and waiting for someone to log in.
    We have notified our local SUN distributor and are waiting for a response
    on how to fix this problem.

    On (Cray Research's UNICOS) the permissions are set correctly.
    If you do have a solution, please let me know asap.


        End of Security Digest Volume 2 Issue 7