PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS U-1,228/DS-SIM {DCPO} SUBJ: COMPROMISES OF UNIX BASED SYSTEMS {AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-35} 1. DISCUSSION: THIS IS A PRIORITY ALERT THAT INTERRUPTS THE SEQUENCE OF THE BASELINE PACKAGE OF MESSAGES CURRENTLY BEING ISSUED BY ASSIST. SEVERAL COMPROMISED SYSTEMS HAVE BEEN DISCOVERED AT U.S GOVERNMENT DATA CENTERS. YOU ARE ADVISED TO PASS THIS MEMO ALONG TO OTHER SYSTEM MANAGERS AS WELL AS YOUR MANAGEMENT SO THAT AS MANY PEOPLE CAN BE INFORMED AS POSSIBLE. THE ATTACKS ARE TAKING THE FORM OF TROJAN-HORSE VERSIONS OF THE /BIN/LOGIN PROGRAM REPLACING THE ACTUAL PROGRAM THAT IS PART OF UNIX. THE ACTIVITY APPEARS TO HAVE BEEN OCCURING FOR AT LEAST THE LAST 2 WEEKS. COMPROMISED SYSTEMS PROVIDE AN UNAUTHORIZED USER WITH THE ABILITY TO ACCESS A ROOT SHELL ON YOUR SYSTEM WHILE EFFECTIVELY REMAINING 'INVISIBLE'. THE PROCESS DOES NOT SHOW UP ON NORMAL USER DISPLAYS, AND NO ENTRIES ARE MADE TO THE LOG FILE. 2. WHILE NOT A FULL SIGNATURE, THE FOLLOWING PROVIDES SOME THINGS TO LOOK FOR: A. CHECK THE REVISION DATE OF /BIN/LOGIN USING THE COMMAND: LS -LC /BIN/LOGIN {NOTE: USR "LS -LC" NOT "LS -L"} BE SUSPICIOUS OF A RECENT REVISION DATE. NOTE HOWEVER, THAT IT IS EASY TO SPOOF THE REVISION DATE, AND SOME COMPROMISED SYSTEMS HAVE HAD THIS HAPPEN TO THEM. HOWEVER, IF YOU CAN VERIFY THE REVISION DATE AGAINST THE FILE ON YOUR ORIGINAL O/S MEDIA, THIS MIGHT PROVIDE A FIRST-ALERT TO A PROBLEM. B. WHEN LOGGING IN, THE /BIN/LOGIN PROGRAM NORMALLY PRODUCES THE FOLLOWING PROMPT: "PASSWORD:" {NOTE, CAPITAL "P", AND NO SPACE AFTER THE COLON} SOME COMPROMISED VERSIONS OF /BIN/LOGIN PRESENT THEMSELVES TO THE USER BY PROMPTING WITH EITHER "PASSWORD:" OR "PASSWORD: ". C. CHECK FOR THE EXISTANCE OF THE FILE /VAR/SPOOL/SECRETMAIL/.L OR /USR/SPOOL/SECRETMAIL/.L. THIS FILE IS NOT PART OF NORMAL UNIX, AND IF PRESENT, INDICATES THE EXISTANCE OF A TROJAN HORSE /BIN/LOGIN. 3. THE ABOVE STEPS WILL PROVIDE A PRELIMINARY IDENTIFICATION OF NODES THAT ARE AFFECTED. HOWEVER, NODES NOT EXHIBITING THE PREVIOUS INDICATIONS COULD STILL BE AT RISK. IT IS BELIEVED THAT THE TROJAN-HORSE COPY OF /BIN/LOGIN HAS BEEN ALTERED SUCH THAT IT STILL CHECKSUMS TO THE CORRECT VALUE. YOU ARE STRONGLY ENCOURAGED TO CHECK EVERY UNIX MACHINE AT YOUR CENTER FOR THE ABOVE ATTRIBUTES. FURTHER, IT IS STRONGLY RECOMMENDED THAT ALL SITES WITH HOSTS.EQUIV FILES ENSURE THAT THE FILE DOES NOT CONTAIN A LINE THAT CONSISTS OF NOTHING BUT A "+". THIS WOULD ALLOW SOMEONE WHO PENETRATES THE ROOT ACCOUNT ON ANY OTHER MACHINE [ANYWHERE] ON THE INTERNET TO RLOGIN AS ROOT ON YOUR NODE. IT IS SUSPECTED THAT THIS MECHANISM IS BEING USED IN SOME OF THE INSTANCES CURRENTLY BEING REPORTED. IT IS FURTHER SUGGESTED THAT SITES RUN THE SECURITY PROGRAMS CONTAINED IN THE COPS {V1.04} SOFTWARE WHICH WAS DEVELOPED TO HELP IDENTIFY COMMON UNIX SECURITY PROBLEMS. THIS SOFTWARE IS AVAILABLE VIA ANONYMOUS FTP FROM CERT.ORG {192.88.209.5} IN THE DIRECTORY {TILDA}/PUB/COPS/1.04. 4. IF AFTER PERFORMING THE ABOVE STEPS, ANY SYSTEMS ARE FOUND TO BE AFFECTED AS DESCRIBED, THE SYSTEM ADMINISTRATOR SHOULD PERFORM THE FOLLOWING STEPS: A. MAKE A BACKUP OF YOUR CURRENT SYSTEM. LABEL EACH TAPE AND HAVE THE PERSON WHO MADE THE BACKUP PUT THEIR SIGNATURE ON THE LABEL. THIS SAME PERSON SHOULD THEN STORE THE TAPE IN A SECURE {I.E. "LOCKED"} LOCATION UNTIL FURTHER NOTICE. B. REPLACE ALL OPERATING SYSTEM FILES WITH THOSE FROM A TRUSTED BACKUP OR FROM ORIGINAL DISTRIBUTION MEDIA. C. PLEASE REPORT ANY INCIDENCES OF AFFECTED SYSTEMS TO ASSIST AS WELL AS YOUR LOCAL MANAGEMENT. THE CENTER COMPUTER SECURITY OFFICIALS SHOULD BE APPRISED OF THE EXTENT OF AFFECTED SYSTEMS. D. KEEP RECORDS OF WHICH SYSTEMS WERE AFFECTED, AND OF THE WORK-HOURS REQUIRED TO BACKUP, ERRADICATE, AND REPORT THIS PROBLEM. THE LOGS MAY BE REQUIRED LATER. 5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE, PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE THE ASSIST DUTY OFFICER PAGED. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."