________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________ NOTICE OF TROJAN HORSE PROGRAM AFFECTING COMPUTERS ON THE INTERNET USING TELNET The DOE Computer Incident Advisory Capability (CIAC) has learned of the presence of a trojan horse program spreading over the Internet. This program has caused unauthorized system activity on several computers that run Telnet. The bogus Telnet program logs outgoing login sessions (including user names and passwords). This problem could extend to any version of Telnet for which an attacker has the source code. Currently, only UNIX systems have been affected, though any system to which an attacker can gain access could be affected in the future. Historically, attackers have logged pertinent information to directory names such as "..." and ".mail". To determine if your Telnet program has been affected, however, you could use a search command (e.g., "strings" command for UNIX) on these directory name strings. However, attackers may not elect to use the same directory name strings in the future, since an attacker can change the logging directory when compiling the trojan horse program. Therefore, CIAC recommends that you periodically use one of the following methods to determine if the trojan horse has replaced your Telnet program: 1) Compare the size of an original Telnet file to the installed version. A difference in size would indicate the installed version has been modified and should be checked. 2) Compare the original Telnet source code and the version installed on your particular system using a comparison program (e.g., DIFF, SUM or CMP) to identify modifications to the installed version. 3) Use the command: strings `which telnet` |grep / | grep -v \@\(\#\) | grep -v on/off You will obtain all of the absolute pathnames (i.e., filenames that have an explicit directory component) that were not specifically constructed to protect against comparison tests. Normally these filenames are: /etc/services /etc/hosts (Note: this test is a "quick and dirty" way of testing for the trojan horse program. It eliminates the need to load a "clean copy" from tape to perform more extensive but more thorough comparison tests.) If you discover you have been affected by the trojan horse program, it will be necessary to: 1) remove any log files that had been made by the program, 2) change all passwords on all your machines, because the trojan horse program catches passwords for breakins into other machines, and 3) reinstall a clean version of the Telnet program. In addition, if you have been affected by this trojan horse program, you can help CIAC reach others who have also been affected but may not yet realize that their systems have this problem. Please inform CIAC of: 1) what files the bogus program has created, and 2) the contacts coming into the affected machine(s). Note: you can obtain a listing of these contacts by using the UNIX 'last' command. If you have been affected or if you need further information, please contact Gene Schultz, CIAC Manager, at (415) 422-8193 or (FTS) 532-8193 or send e-mail to: gschultz%nsspa@icdc.llnl.gov. or ciac@tiger.llnl.gov