ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V3 #2 1990-12-11 (1 file, 2294 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
Security Digest Volume 3 Issue 2 subject(s): probing from ghost.unimi.it The unix security mailing list is by invitation only and contains sensitive material which SHOULD NOT BE REVEALED to non-members. DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS. If you must keep copies on-line, please encrypt them at the very least. PLEASE POST TO: firstname.lastname@example.org PLEASE SEND EMERGENCY ALERTS TO: email@example.com PLEASE SEND REQUESTS TO: firstname.lastname@example.org Postings that describe security holes/fixes have a * in their subject. ------------------------------------------------------------------------ Date: Tue, 11 Dec 90 02:36:25 PST From: neil (Neil Gorsuch) Subject: probing from ghost.unimi.it [ A site in Italy is probing internet sites. First, a copy of this message that was sent to cert was Cc:'ed to security-request: ] } Subject: Security hole report } We would be interested to receive your report on the new security hole. } I have taken the liberty of forwarding your message to the persons } responsible for USA network security, who would be even more interested } in your report. } (Sorry, <cert> etc., if your mailbox fills up, but better that 1000 people } forward the message than no people do.) } } ------- Forwarded Message } } Date: Sun, 9 Dec 90 05:33:09 GMT } From: Miners <email@example.com> } } To the Postmaster: } } We are a group of researchers and students of the state university } of Milano (Italy), computer science Dept. that are working on security. } For what we know, there is a common bug in some ARPA services or their } installations. } We are now trying to identify hosts that may be subject to this } bug, in order to inform them as soon as we finish collecting the data. } } Nobody is going to try to intrude these systems. } } For any further explanation, please send mail to } firstname.lastname@example.org, and we will reply as soon as possible. } } Massimo Cotrozzi } Stefano Taino } } ------- End of Forwarded Message [ cert then sent out this explanation: ] } Subject: CERT Advisory - Security probes from Italy } } CERT Advisory } December 10, 1990 } Security probes from Italy } } Many sites on the Internet received messages from } "email@example.com" (184.108.40.206) on Sunday, December 9. The } messages stated that "miners" is a group of researchers and students } in the computer science department at the state university of Milano } in Italy; a group testing for a "common bug" in network hosts. In } addition to the messages, a number of sites detected probes } from the unimi.it domain. Later today, a number of individuals } received a follow up message from "firstname.lastname@example.org" } explaining the activities. } } We have received reports that this activity has now stopped, and an } unofficial explanation has been provided by several administrators at } the University of Milano. The rest of this message describes the } sequence of events and the security holes that were probed. } } Following the original messages from miners@ghost and } postmaster@ghost, another message was sent on the afternoon of December } 10th from several administrators at the University of Milano. They } stated that the authorities at the University had been informed and } that the attempts had stopped. They also noted that they had not been } informed of the tests in advance. } } The administrators at the University of Milano have sent us a copy of } the scripts that were used to probe the Internet sites. These scripts } checked for the existence of the sendmail WIZ and DEBUG commands, } and attempted to get /etc/motd and/or /etc/passwd via TFTP and } by exploiting an old vulnerability in anonymous FTP. The scripts } also attempted to rsh to a site and try to cat /etc/passwd. Finally, } the scripts mailed to root at each site they tested with the message } from "email@example.com". } } The administrators at the University of Milano state that the group } that did this was doing this to discover which (if any) sites might } have had these security flaws, and then to let the sites know about } these vulnerabilities. They have stated that they still intend to } inform sites that have these vulnerabilities. } } To our knowledge, no site was actually broken into (as of December 10, } 1990). Nonetheless, the CERT does not condone this type of activity. } } Most of the information in this advisory is based on information given } to us via e-mail from individuals at the University of Milano. We } have not yet been able to check this information with any officials at } the University; if we learn of any other significant information, we will } update this advisory. [ I certainly don't approve of strangers probing for security flaws, even with the best of motives. In addition to being rude, it can give one a false sense of security to think that all of your security holes have been discovered. - neil ] ------------------------------------------------------------------------ End of Security Digest Volume 3 Issue 2 ********************** Return-Path: uninet!sec-rqst%zardoz.uucp@ICS.UCI.EDU
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|