To: csr@list.gatech.edu, snag@gt.ed.net, information-technology@oit.gatech.edu From: Ray Spalding Date: Thu, 30 Apr 1998 12:12:26 -0500 Subject: Special Security Alert for SGI Systems For all SGI System Administrators: Proper administration, particularly the timely application of security patches, is important for all computer systems. However, it appears from incident reports that there may have been recent systematic exploitation of on-campus SGI systems. THEREFORE we request that all administrators of SGI systems: (1) INSPECT your systems for signs of compromise; and in addition: (2) CHECK for password-less accounts and other out-of-the-box vulnerabilities; and (3) INSTALL all applicable security patches. In one incident, as many as 27 machines were potentially compromised. On two machines, root access was lost and at least 10 machines showed definite signs of compromise. In another, an intruder gained access using a password-less system account, the closing of which was overlooked at installation time. Note that if a system has been root-compromised, recommended recovery procedures include re-installation of the system software. We can provide ISS scanning to aid you in this effort. For more information about what the ISS Scanner does, please look at http://www.iss.net For more information on security and related issues, please refer to: The Georgia Tech Information Security UNIX security admin page http://www.itis.gatech.edu/security/unix/ CERT intrusion detection page ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist CERT root compromise recovery page ftp://info.cert.org/pub/tech_tips/root_compromise SGI makes their security patches publicly available at ftp.sgi.com via anonymous ftp. Also, they have on their website a "Security Headquarters" at: http://www.sgi.com/Support/security/security.html Within this, they have a link to a security patch matrix that lists applicable secuirty patches for operating system versions at ftp://sgigate.sgi.com/security/os_patch_cross_ref The following advisory discusses closing of password-less accounts that ship with new systems: ftp://sgigate.sgi.com/security/19951002-01-I Please contact OIT Information Security at irsc@oit.gatech.edu, if you feel your system has been compromised, or if you have any questions.