-----BEGIN PGP SIGNED MESSAGE-----


CA-89:03
                                CERT Advisory
                               August 16, 1989
                           Telnet Breakin Warning

- ----------------------------------------------------------------------------

Many computers connected to the Internet have recently experienced
unauthorized system activity.  Investigation shows that the activity
has occurred for several months and is spreading.  Several UNIX
computers have had their "telnet" programs illicitly replaced with
versions of "telnet" which log outgoing login sessions (including
usernames and passwords to remote systems).  It appears that access
has been gained to many of the machines which have appeared in some of
these session logs.  (As a first step, frequent telnet users should
change their passwords immediately.)  While there is no cause for
panic, there are a number of things that system administrators can do
to detect whether the security on their machines has been compromised
using this approach and to tighten security on their systems where
necessary.  At a minimum, all UNIX site administrators should do the
following:

o Test telnet for unauthorized changes by using the UNIX "strings"
 command to search for path/filenames of possible log files.  Affected
 sites have noticed that their telnet programs were logging information
 in user accounts under directory names such as "..." and ".mail".

In general, we suggest that site administrators be attentive to
configuration management issues.  These include the following:


o Test authenticity of critical programs - Any program with access to
 the network (e.g., the TCP/IP suite) or with access to usernames and
 passwords should be periodically tested for unauthorized changes.
 Such a test can be done by comparing checksums of on-line copies of
 these programs to checksums of original copies.  (Checksums can be
 calculated with the UNIX "sum" command.)  Alternatively, these
 programs can be periodically reloaded from original tapes.

o Privileged programs - Programs that grant privileges to users (e.g.,
 setuid root programs/shells in UNIX) can be exploited to gain
 unrestricted access to systems.  System administrators should watch
 for such programs being placed in places such as /tmp and /usr/tmp (on
 UNIX systems).  A common malicious practice is to place a setuid shell
 (sh or csh) in the /tmp directory, thus creating a "back door" whereby
 any user can gain privileged system access.

o Monitor system logs - System access logs should be periodically
 scanned (e.g., via UNIX "last" command) for suspicious or unlikely
 system activity.

o Terminal servers - Terminal servers with unrestricted network access
 (that is, terminal servers which allow users to connect to and from
 any system on the Internet) are frequently used to camouflage network
 connections, making it difficult to track unauthorized activity.
 Most popular terminal servers can be configured to restrict network
 access to and from local hosts.

o Passwords - Guest accounts and accounts with trivial passwords
 (e.g., username=password, password=none) are common targets.  System
 administrators should make sure that all accounts are password
 protected and encourage users to use acceptable passwords as well as
 to change their passwords periodically, as a general practice.  For
 more information on passwords, see Federal Information Processing
 Standard Publication (FIPS PUB) 112, available from the National
 Technical Information Service, U.S. Department of Commerce,
 Springfield, VA 22161.

o Anonymous file transfer - Unrestricted file transfer access to a
 system can be exploited to obtain sensitive files such as the UNIX
 /etc/passwd file.  If used, TFTP (Trivial File Transfer Protocol -
 which requires no username/password authentication) should always be
 configured to run as a non-privileged user and "chroot" to a file
 structure where the remote user cannot transfer the system /etc/passwd
 file.  Anonymous FTP, too, should not allow the remote user to access
 this file, or any other critical system file.  Configuring these
 facilities to "chroot" limits file access to a localized directory
 structure.

o Apply fixes - Many of the old "holes" in UNIX have been closed.
 Check with your vendor and install all of the latest fixes.


If system administrators do discover any unauthorized system activity,
they are urged to contact the Computer Emergency Response Team (CERT).

- -----------------------------------------------------------------------------

Computer Emergency Response Team (CERT)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet: [email protected]
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
          7:30a.m.-6:00p.m. EST, on call for
          emergencies other hours.

Past advisories and other information are available for anonymous ftp
from cert.org (192.88.209.5).



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMaMwaHVP+x0t4w7BAQEDZgP/cqyLMF6jNCb5KUyu1cvV16V5iqyr+6NU
+Bv7nAslpa68gVA2H1lAj/ckorE8TiN8Dca5L8vRi7xdb8aZdJreuhq04Ca6378R
g5heP3PfvrfFSC/uOPmKsZNEXyEKEcM3oUXp+7t0VCf/e5CmV2TOTKp83GRbaFma
6CJhBW59YnE=
=FF2b
-----END PGP SIGNATURE-----

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.