SDSC Security Bulletin 97.004 Original Issue Date: 1997/08/20 Version: $Id: 97.04.utexas,v 1.3 1997/09/04 15:53:05 tep Exp $ Topic: possible compromised systems at University of Texas (UTexas) ________________________________________________________________________________ *LIMITED DISTRIBUTION - SDSC and NPACI partners ONLY* There was been a compromise of unknown scope of several machines at the University of Texas (UT). The Texas Advanced Computing Center (TACC), located at the University is an NPACI partner site. All that is known for sure is that the recent "imap sweep" (CERT CA-97.09) discovered several vulnerable systems at UT (not at TACC), and an ongoing investigation has turned up several systems that are believed to have been compromised as a result of this activity, including network password sniffers, designed to gather plaintext passwords. It is believed that the compromise was limited to the UT main campus networks, including the Astronomy department, and that no hosts at TACC were compromised. The time frame of this incident is approximately 27 July 1997 until 4 August 1997, although this date is not confirmed. I. Description No additional information at this time. II. Impact It is possible that users who have accessed systems at the University of Texas may have had their account information, including plaintext passwords, gathered by one or more password sniffers. III. Solution All users who have accessed University of Texas computer systems from any other site should change their passwords on any system for which the plaintext passwords were used across University of Texas networks. This includes, but is not limited to systems at UTexas and any systems at SDSC or other sites used from UTexas computers. The University of Texas TACC and SDSC make several tools available to avoid password sniffing attacks, and all users are encouraged to use them. The use of non-plaintext-password user authentication will be mandatory for access to NPACI resources after 1 April 1998. Secure Shell (SSH)is supported at UTexas TACC on the J90 (lonestar) and some other systems. Kerberos, Secure Shell (SSH), S/Key and SecureNetKey (SNK) "smart" cards are all supported at SDSC. For all of these, the software is freely redistributable and widely available (subject to US cryptographic export controls). SNK cards are available for purchase (approx US$40) or may be made available to some SDSC users at no charge. SSH servers are running on all workstations and most supercomputers at SDSC. Kerberos client software is now available in /usr/local/apps/krb5. Users must have SSH client software on their computers. There is no special registration required to use SSH. Information on SSH is available at: http://www.sdsc.edu/projects/ssh/ssh.html For general information on SDSC Security Activities, see http://www.sdsc.edu/Security/References/security_faq.stable IV. Detecting an attack All users should ALWAYS check the "last login time and place" which is presented each time they login to any UNIX system: ------------ San Diego Supercomputer Center CRAY C90 with 8 CPUs and 256 MW running UNICOS 9.0.1ai Last successful login was : Tue Apr 8 21:06:32 from galt.sdsc.edu ------------ If this time seems unusual, or the host is not what you expect, please contact SDSC Operations at +1.619.534.5090 immediately. SDSC Operations is available 24 hours a day, and can page the on-call security person if necessary. If you find unusual files or directories in your account, or have files that have been moved or removed, or other reason to believe that someone has made use of your account, please contact SDSC. V. Acknowledgments Information in this bulletin was produced by various sources at UTexas, CERT, and Tom Perrine at SDSC. San Diego Supercomputer Center: http://www.sdsc.edu Pacific Institute of Computer Security: http://www.sdsc.edu/GatherScatter/GSspring96/perrine.html San Diego Regional Information Watch: http://www.sdriw.org VI. Disclaimers Copyright 1997 San Diego Supercomputer Center. The material in this security alert is for the use of SDSC's user community, and may NOT be reproduced or distributed, without prior written permission, in whole or in part.