PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE
MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,359/DS-SIM {CSG}
SUBJ:  NEW INTERNET INTRUSIONS DETECTED {AUTOMATED SYSTEMS
SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-59}
1.  DISCUSSION:  ASSIST HAS LEARNED OF A NEW SERIES OF INTERNET
ATTACKS INVOLVING PRIMARILY UNIX SYSTEMS.  THE INTRUDER IS USING
VULNERABILITIES SUCH AS TFTP TO OBTAIN COPIES OF THE PASSWORD FILE
ON SOME INTERNET SYSTEMS.  THE PASSWORDS ARE THEN CHECKED TO SEE
IF ANY ARE EASILY GUESSED, AND IF SO, THE ACCOUNT IS USED TO GAIN
ACCESS TO THE SYSTEM.  THESE ATTACKS ARE WIDESPREAD, AND ACCOUNTS
PENETRATED BY THESE INTRUDERS ARE USED TO ATTACK OTHER SYSTEMS OR
GAIN ROOT PRIVILEGE ON THE PENETRATED SYSTEM. IF THE INTRUDER
GAINS ROOT PRIVILEGE, SYSTEM BINARIES FOR THE UTILITIES SU, FTP,
AND FTPD MAY BE REPLACED WITH TROJAN HORSE VERSIONS THAT RECORD
SUBSEQUENT PASSWORDS ENTERED BY LEGITIMATE USERS.  IN ADDITION THE
INTRUDER MAY POST THE USERNAME, PASSWORD, AND SYSTEM NAME OF THE
PENETRATED ACCOUNT TO A PUBLIC BULLETIN BOARD SYSTEM. 
2.  IF YOU MANAGE A UNIX SYSTEM CONNECTED TO THE INTERNET, ASSIST
RECOMMENDS THAT YOU VERIFY THAT THE SYSTEM BINARIES FOR THE SU,
FTP, AND FTPD UTILITIES HAVE NOT BEEN MODIFIED.  THIS CAN BE DONE
BY COMPARING THE BINARIES TO THOSE ON THE SYSTEM DISTRIBUTION
MEDIA OR BY USING A CRC PACKAGE SUCH AS CONTAINED IN SPI/UNIX TO
ASSURE THAT THE BINARIES HAVE NOT BEEN MODIFIED.  ANOTHER
INDICATION OF THIS ATTACK IS THE PRESENCE OF FILES ... {DOT, DOT, 
DOT} IN EITHER THE /USR/ETC, /VAR/CRASH, OR /USR/KVW DIRECTORIES
OR THE FILE .GETWD IN THE /USR/ETC/ OR /VAR/CRASH DIRECTORIES. 
OTHER INDICATORS OF THIS ATTACK INCLUDE: 
A.  PRESENCE OF SET-UID ROOT SHELLS NAMED .A OR WTRUNC ANYWHERE ON
THE SYSTEM. 
B.  ADDITION OF A "{PLUS SIGN}" IN THE /ETC/HOSTS.EQUIV FILE.
C.  ADDITION OF A .RHOSTS FILE IN ANY HOME DIRECTORY MENTIONED IN
THE /ETC/PASSWORD FILE CONTAINING THE STRING "PLUS, SPACE, PLUS}."
D.  PRESENCE OF A SET-UID ROOT FILE /USR/LIB/LPX.
3.  RECOMMENDATION:  SHOULD YOU ENCOUNTER ANY OF THE ABOVE
MENTIONED INDICATORS OF THIS ATTACK, SAVE A COPY OF THE AFFECTED
FILES ON TAPE OR OTHER REMOVABLE MEDIA, REMOVE OR REPLACE THESE
FILES WITH BINARIES FROM THE SYSTEM DISTRIBUTION MEDIA, AND
CONTACT ASSIST AT THE NUMBER LISTED BELOW.  IN ADDITION, ALL
PASSWORDS ON THE SYSTEM SHOULD BE CHANGED.  ASSIST RECOMMENDS THAT
YOU RUN THE SPI/UNIX OR COMPARABLE PACKAGE TO VERIFY THAT YOUR
PASSWORDS ARE ROBUST AND SYSTEM BINARIES HAVE NOT BEEN MODIFIED. 
VERSION 2.0 OF SPI/UNIX HAS BEEN RELEASED AND IS AVAILABLE. 
CONTACT YOUR LOCAL COMPUTER SECURITY DEPARTMENT OR ASSIST FOR
GUIDANCE IN OBTAINING OR INSTALLING THIS PRODUCT. 
4.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL
AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."