The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V3 #2 1990-12-11 (1 file, 2294 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/302.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Security Digest Volume 3 Issue 2

subject(s):

            probing from ghost.unimi.it

The unix security mailing list is by invitation only and contains
sensitive material which SHOULD NOT BE REVEALED to non-members.
DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS.
If you must keep copies on-line, please encrypt them at the very least.

PLEASE POST TO:                              security@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO:   security-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO:             security-request@uninet.cpd.com

Postings that describe security holes/fixes have a * in their subject.


------------------------------------------------------------------------

Date: Tue, 11 Dec 90 02:36:25 PST
From: neil (Neil Gorsuch)
Subject: probing from ghost.unimi.it

[ A site in Italy is probing internet sites.  First, a copy of this
message that was sent to cert was Cc:'ed to security-request: ]

} Subject: Security hole report
} We would be interested to receive your report on the new security hole.
} I have taken the liberty of forwarding your message to the persons
} responsible for USA network security, who would be even more interested
} in your report.
} (Sorry, <cert> etc., if your mailbox fills up, but better that 1000 people
} forward the message than no people do.)
}
} ------- Forwarded Message
}
} Date: Sun, 9 Dec 90 05:33:09 GMT
} From: Miners <miners@ghost.unimi.it>
}
} To the Postmaster:
}
} We are a group of researchers and students of the state university
} of Milano (Italy), computer science Dept. that are working on security.
} For what we know, there is a common bug in some ARPA services or their
} installations.
} We are now trying to identify hosts that may be subject to this
} bug, in order to inform them as soon as we finish collecting the data.
}
} Nobody is going to try to intrude these systems.
}
} For any further explanation, please send mail to
} miners@ghost.unimi.it, and we will reply as soon as possible.
}
} Massimo Cotrozzi
} Stefano Taino
}
} ------- End of Forwarded Message

[ cert then sent out this explanation: ]

} Subject: CERT Advisory - Security probes from Italy
}
}                           CERT Advisory
}                         December 10, 1990
}                     Security probes from Italy
}
} Many sites on the Internet received messages from
} "miners@ghost.unimi.it" (131.175.10.64) on Sunday, December 9.  The
} messages stated that "miners" is a group of researchers and students
} in the computer science department at the state university of Milano
} in Italy; a group testing for a "common bug" in network hosts.  In
} addition to the messages, a number of sites detected probes
} from the unimi.it domain.  Later today, a number of individuals
} received a follow up message from "postmaster@ghost.unimi.it"
} explaining the activities.
}
} We have received reports that this activity has now stopped, and an
} unofficial explanation has been provided by several administrators at
} the University of Milano.  The rest of this message describes the
} sequence of events and the security holes that were probed.
}
} Following the original messages from miners@ghost and
} postmaster@ghost, another message was sent on the afternoon of December
} 10th from several administrators at the University of Milano.  They
} stated that the authorities at the University had been informed and
} that the attempts had stopped.  They also noted that they had not been
} informed of the tests in advance.
}
} The administrators at the University of Milano have sent us a copy of
} the scripts that were used to probe the Internet sites.  These scripts
} checked for the existence of the sendmail WIZ and DEBUG commands,
} and attempted to get /etc/motd and/or /etc/passwd via TFTP and
} by exploiting an old vulnerability in anonymous FTP.  The scripts
} also attempted to rsh to a site and try to cat /etc/passwd.  Finally,
} the scripts mailed to root at each site they tested with the message
} from "miners@ghost.unimi.it".
}
} The administrators at the University of Milano state that the group
} that did this was doing this to discover which (if any) sites might
} have had these security flaws, and then to let the sites know about
} these vulnerabilities.  They have stated that they still intend to
} inform sites that have these vulnerabilities.
}
} To our knowledge, no site was actually broken into (as of December 10,
} 1990).  Nonetheless, the CERT does not condone this type of activity.
}
} Most of the information in this advisory is based on information given
} to us via e-mail from individuals at the University of Milano.  We
} have not yet been able to check this information with any officials at
} the University; if we learn of any other significant information, we will
} update this advisory.

[ I certainly don't approve of strangers probing for security flaws,
even with the best of motives.  In addition to being rude, it can give
one a false sense of security to think that all of your security holes
have been discovered. - neil ]

------------------------------------------------------------------------





        End of Security Digest Volume 3 Issue 2
        **********************
Return-Path: uninet!sec-rqst%zardoz.uucp@ICS.UCI.EDU

END OF DOCUMENT