________________________________________________________________ CIAC Computer Incident Advisory Capability Information Bulletin ________________________________________________________________ October 9, 1989 Notice A-1 CIAC (the Computer Incident Advisory Capability) has learned of a series of attacks on a set of UNIX computers attached to the Internet. This series of attacks targets anonymous ftp to gain access to the password file, then uses accounts from that file that use easily guessed passwords to gain access to the machine. Once access is gained to the machine, a trojan horse is installed in the Telnet program (as described in a previous CIAC bulletin) to record further user accounts and passwords. The TFTP facility has also been utilized in this sequence of breakins. This bulletin describes the nature of the threat, and suggests a procedure to protect your computers. This is a limited distribution information bulletin to warn your site of a series of hacker/cracker attacks on the Internet. This bulletin is being sent to you because our records indicate that your site is connected to the Internet. Please inform CIAC if this is not true. Also, if you are not the CPPM or CSSM for your site, will you please promptly forward this bulletin to that person or persons? There has been a series of breakins into UNIX machines connected to the Internet. These breakins at first were largely into systems in North and South Carolina, but they have spread rapidly. They appear to be the work of a group of hackers with fairly identifiable patterns of attack. You should be aware of these attack patterns, and should take measures described below to prevent breakins at your site. The attackers are using anonymous ftp (the ability to use ftp as a guest) to obtain copies of an encrypted password file for a machine. They then decrypt passwords, and use them to log into an account on that machine. They become a root user, then install the trojan horse version of Telnet, about which CIAC alerted you nearly two months ago. This trojan horse collects passwords of Telnet users, which the hackers then use to break into other machines. The hackers are also using .rhost and host.equiv to gain entry into other systems once they have broken into a new machine. The TFTP facility is also used to gain access to a machine. The attackers have not been destroying files or damaging systems. To avoid being detected and/or monitored, however, they have many times waited for several weeks or even longer after obtaining passwords to break in to a system. This threat seems to center around systems that have not installed the distributed patches to already known vulnerabilities in the UNIX operating system. CIAC recommends that you take three courses of action: 1) Look for connections between machines in your network and host machines that would not normally be connected to your site. If many of these connections exist, there is a strong possibility that they may not be legitimate. Currently many of these unauthorized connections and attacks have been using: - universities in North and South Carolina - universities in Boston - universities and computer companies in the California Berkeley/Palo Alto area Any unusual and unexplained activity from these locations are worth special attention, as they are likely to be attacks. 2) Look for the Telnet trojan horse, using the command: strings `which telnet` | grep \@\(\#\) | grep on/off Any lines that are printed from this command indicate that you have been affected by the trojan horse. If you discover that you have been affected by the trojan horse program, please contact CIAC for recovery procedures. 3) If the host.equiv file contains a "+" unauthorized users can gain entry into a system. You should therefore inform system managers that they should remove "+" from any host.equiv files. Please refer questions to: CIAC, Thomas Longstaff Lawrence Livermore National Laboratory P.O. Box 808 L-540 Livermore, CA 94550 (415) 423-4416 or (FTS) 543-4416 longstaf@frostedflakes.llnl.gov