SDSC Security Bulletin 97.05 Original Issue Date: 1997/09/18 Version: $Id: 97.05.caltech,v 1.6 1997/09/18 16:03:35 tep Exp $ Topic: compromised systems at Caltech ________________________________________________________________________________ *LIMITED DISTRIBUTION - SDSC and NPACI partners ONLY* There was a compromise of several machines at Caltech, an NPACI partner site. Caltech's computer operations group has contained and recovered from this incident. This incident included "root compromises" and the installation of password sniffers on several hosts. It is also possible that "Trojan Horse" versions of login, telnetd, etc. could have been installed. It is known that at least one plaintext password for an SDSC account used from Caltech networks was collected by these password sniffers and later used to access an SDSC host. If you have accessed SDSC or other hosts via network paths that traverse Caltech networks, you are strongly advised to change your passwords immediately, as well as begin using "secure" access methods such as Kerberos and SSH to access your SDSC and NPACI accounts. This incident is related to recent events at the University of Texas, documented in SDSC Security Bulletin 97.04.utexas: http://www.sdsc.edu/Security/public_bulletins/97.04.utexas The time frame of this incident is approximately 27 July 1997 until 4 August 1997, although this date is not confirmed, and additional password sniffers are still being found at Caltech as of 11 September 1997. I. Description During late July and early August of this year, thousands of Internet hosts were probed for a vulnerability in a specific implementation of a mail "post office" server, the IMAP server from University of Washington. The CERT Coordination Center (CERT/CC) released several advisories and summaries dealing with this activity, which can be acquired from CERT directly, or from SDSC's mirror: CA-97.09.imap_pop April and August 1997 ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop ftp://ftp.sdsc.edu/pub/mirrors/ftp.cert.org/cert_advisories/CA-97.09.imap_pop CS-97.04 special edition 4 August 1997 ftp://info.cert.org/pub/cert_summaries/CS-97.04 ftp://ftp.sdsc.edu/pub/mirrors/ftp.cert.org/cert_summaries/CS-97.04 From CS-97.04: Preliminary data from one current incident indicates that probes were made to thousands of hosts, and approximately 40% of those hosts appear to be vulnerable. In addition to this large incident, we have been receiving numerous reports of root compromises as a result of this vulnerability. Note that CERT mentions that "thousands" of hosts were probed. More recent data indicates that "hundreds of thousands" is a better guess. All hosts at SDSC, a major Bay Area site (several thousand hosts), Caltech, the University of Texas and numerous other educational and corporate sites were scanned during the initial incident. II. Impact It is known that some users who have accessed accessed SDSC systems from Caltech hosts had their account information, including plaintext passwords, gathered by one or more password sniffers. It is likely that thousands of login sessions that traversed Caltech networks were captured. III. Solution All users who have accessed SDSC (or other) computer systems from Caltech (or vice versa) *must* change their passwords on any system for which the plaintext passwords were used across Caltech networks. SDSC makes several tools available to avoid password sniffing attacks, and all users are encouraged to use them. *** The use of non-plaintext-password user authentication (such as SSH) will be mandatory for access to NPACI resources after 1 April 1998. Users are *strongly* encouraged to use SSH (or Kerberos, where available) for access to SDSC computers. *** Kerberos, Secure Shell (SSH), S/Key and SecureNetKey (SNK) "smart" cards are all supported at SDSC. For all of these, the software is freely redistributable and widely available (subject to US cryptographic export controls). SNK cards are available for purchase (approx US$40) or may be made available to some SDSC users at no charge. Kerberos and SSH servers are running on all workstations and all supercomputers at SDSC. Kerberos client software is now available at SDSC in /usr/local/apps/krb5 and pre-registration is required. Users must acquire SSH client software for themselves at this time. There is no special registration required to use SSH. Information on SSH is available at: http://www.sdsc.edu/projects/ssh/ssh.html For general information on SDSC Security Activities, see http://www.sdsc.edu/Security/References/security_faq.stable IV. Detecting an attack All users should ALWAYS check the "last login time and place" which is presented each time they login to any UNIX system: ------------ San Diego Supercomputer Center CRAY C90 with 8 CPUs and 256 MW running UNICOS 9.0.1ai Last successful login was : Tue Apr 8 21:06:32 from galt.sdsc.edu ------------ If this time seems unusual, or the host is not what you expect, please contact SDSC Operations at +1.619.534.5090 immediately. SDSC Operations is available 24 hours a day, and can page the on-call security person if necessary. If you find unusual files or directories in your account, or have files that have been moved or removed, or other reason to believe that someone has made use of your account, please contact SDSC. V. Acknowledgments Information in this bulletin was produced by various sources at Caltech, UTexas, CERT, and Glenn Sager and Tom Perrine at SDSC. San Diego Supercomputer Center: http://www.sdsc.edu Pacific Institute of Computer Security: http://www.sdsc.edu/GatherScatter/GSspring96/perrine.html San Diego Regional Information Watch: http://www.sdriw.org VI. Disclaimers Copyright 1997 San Diego Supercomputer Center. The material in this security alert is for the use of SDSC's user community, and may NOT be reproduced or distributed, without prior written permission, in whole or in part.