Date: Mon, 26 Feb 90 00:40:56 PST Subject: Security Digest V2 #7 Security Digest Volume 2 Issue 7 subject(s): Hacker signs SunOS pty permissions problem ------------------------------------------------------------------------ Date: Mon, 26 Feb 90 00:02:43 EST From: Gene Spafford Subject: Hacker signs We had a hacker break-in here last week. I talked with folks in some of the alphabet agencies about it (I do not like it when people are snooping though my files!). Here are some pointers to think about and check on your systems: 1) Hackers know about this list and have placed a "premium" on getting copies of the list mailings. If you have old copies on disk, encrypt them so that if someone does break in, they can't get them. [ Please, please, please - neil ] 2) Hackers/crackers are also after copies of source code to the Internet worm/Wank worm/viruses/etc. Encrypt or remove any such source on your system (I keep all such things on removable media. If I need to mount it, I remove my machine from the network, first.) 3) Crackers have copies of *very* fast password code. Some are advertising password cracking services ("You drop off the password file and we'll break easy passwords.") They are capable of checking over 100 passwords per second on their machines against large dictionaries. They don't care if they have to burn a week or so of cpu time -- they have 386 machines dedicated to this kind of thing. MAKE SURE YOUR USERS ARE USING "STRONG" PASSWORDS! Our system was compromised by accounts with "easy" passwords....and a SunOS 3.5 system. 4) A common trick is to break into your system and then leave passwords, trap door code, etc in files named "..." or a variant somewhere on your system. Try the following as root: find / -name "...*" -print Investigate any hits. 5) Common attacks being used these days are: a) the ftp "user" overwrite attack b) using ftp or telnet to attach to the rsh/rlogin ports and fake commands to create openings c) breaking SunOS "sysdiag" (evidently there is a hole in sysdiag that allows you to break out into a root shell -- if sysdiag is on your system, disable it or remove it). d) yppasswd overrun or funny character attacks in chfn or yppasswd settings 6) Common backdoors installed: a) new alias commands in your mailer alias file that run programs to let them in -- check your aliases b) planting checks in crontab-run shell files that look for certain files being present, and if so, copying setuid shells into place somewhere. (Check everything run by cron on a regular basis as root) They also have source code for "login" and "telnetd" and their own versions. You should have (offline) a checksum, length and date for those programs as they appear on your distribution tape. Check them periodically for changes. At least one group of these hackers scribbles over system files and commands to keep from being spotted, but trashing systems thru carelessness. I'm told that some of these guys are under surveillance, and the Feds aare merely waiting for sufficient evidence to move in. If your system has been compromised, don't try to play detective yourselves. Contact your nearest U.S. Attorney's office and tell them what is happening (if the attack is over the Internet or a phone line). Your report may be the necessary extra bit to nail the bastards. If you don't get any reasonable response, contact me by phone and I can put you in touch with people who probably will respond. ------------------------------------------------------------------------ Date: Wed, 14 Feb 90 11:35:17 I From: Bill Wisner I received this message from a local user today; if it's true (and it very well may be) it brings up an interesting problem and possibly something to tell Sun about. (hayes is an SS1 with SunOS 4.0.3.) Hey guy, you need to recompile login and logout. People can do the following and get passwords from people's accounts: cat