**************************************************************************

Security Bulletin 9708 DISA Defense Communications System

May 2, 1997 Published by: DISN Security Coordination Center

(SCC@NIC.MIL) 1-(800) 365-3642

DEFENSE INFORMATION SYSTEM NETWORK

SECURITY BULLETIN

The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.

**************************************************************************

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

! !

! The following important advisory was issued by the Automated !

! Systems Security Incident Support Team (ASSIST) and is being !

! relayed unedited via the Defense Information Systems Agency's !

! Security Coordination Center distribution system as a means !

! of providing DISN subscribers with useful security information. !

! !

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Automated Systems Security Incident Support Team

_____

___ ___ _____ ___ _____ | /

/\ / \ / \ | / \ | | / Integritas

/ \ \___ \___ | \___ | | < et

/____\ \ \ | \ | | \ Celeritas

/ \ \___/ \___/ __|__ \___/ | |_____\

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Bulletin 97-03

Release date: 1 May 1997

TOPIC: Widespread Internet system probe

PLATFORM: Any computer system connected to the Niprnet

IMPACT: ASSIST has noticed an increase in network wide probes over the past week. These probes have targeted a wide variety of services, including in particular CGI-BIN vulnerabilities. While these probes are initially only looking for vulnerabilities, follow-up exploitation of these vulnerabilities is predicted. Successful exploitation of the vulnerabilities can result in unauthorized root access.

SOLUTION: Review the ASSIST vulnerability bulletins found at http://www.assist.mil/pub/bulletins and verify that your machines are sufficiently protected against documented vulnerabilities. Bulletins can also be found on our anonymous ftp site and BBS (see trailer for information) In addition, use the attached instructions to verify that your system has not been compromised.

- --------------------Intruder Detection Checklist------------------------

A. Look For Signs That Your System May Have Been Compromised

Note that all action taken during the course of an investigation should be in accordance with your organization's policies and procedures.

1. Examine log files for connections from unusual locations or other unusual activity. For example, look at your 'last' log, process accounting, all logs created by syslog, and other security logs. If your firewall or router writes logs to a different location than the compromised system, remember to check these logs also. Note that this is not foolproof unless you log to append-only media; many intruders edit log files in an attempt to hide their activity.

2. Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time. The UNIX find(1) program can be used to hunt for setuid and/or setgid files. For example, you can use the following commands to find setuid root files and setgid kmem files on the entire file system:

find / -user root -perm -4000 -print

find / -group kmem -perm -2000 -print

Note that the above examples search the entire directory tree, including NFS/AFS mounted file systems. Some find(1) commands support an "-xdev" option to avoid searching those hierarchies.

For example:

find / -user root -perm -4000 -print -xdev

Another way to search for setuid files is to use the ncheck(8) command on each disk partition. For example, use the following command to search for setuid files and special devices on the disk partition /dev/rsd0g:

ncheck -s /dev/rsd0g

3. Check your system binaries to make sure that they haven't been altered. We've seen intruders change programs on UNIX systems such as login, su, telnet, netstat, ifconfig, ls, find, du, df, libc, sync, any binaries referenced in /etc/inetd.conf, and other critical network and system programs and shared object libraries. Compare the versions on your systems with known good copies, such as those from your initial installation media. Be careful of trusting backups; your backups could also contain Trojan horses.

Trojan horse programs may produce the same standard checksum and timestamp as the legitimate version. Because of this, the standard UNIX sum(1) command and the timestamps associated with the programs are not sufficient to determine whether the programs have been replaced. The use of cmp(1), MD5, Tripwire, and other cryptographic checksum tools is sufficient to detect these Trojan horse programs, provided the checksum tools themselves are kept secure and are not available for modification by the intruder. Additionally, you may want to consider using a tool (PGP, for example) to "sign" the output generated by MD5 or Tripwire, for future reference.

4. Check your systems for unauthorized use of a network monitoring program, commonly called a sniffer or packet sniffer. Intruders may use a sniffer to capture user account and password information. For related information, see CERT advisory CA-94:01 available in

ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

5. Examine all the files that are run by 'cron' and 'at.' We've seen intruders leave back doors in files run from 'cron' or submitted to 'at.' These techniques can let an intruder back on the system (even after you believe you had addressed the original compromise). Also, verify that all files/programs referenced (directly or indirectly) by the 'cron' and 'at' jobs, and the job files themselves, are not world-writable.

6. Check for unauthorized services. Inspect /etc/inetd.conf for unauthorized additions or changes. In particular, search for entries that execute a shell program (for example, /bin/sh or /bin/csh) and check all programs that are specified in /etc/inetd.conf to verify that they are correct and haven't been replaced by Trojan horse programs.

Also check for legitimate services that you have commented out in your /etc/inetd.conf. Intruders may turn on a service that you previously thought you had turned off, or replace the inetd program with a Trojan horse program.

7. Examine the /etc/passwd file on the system and check for modifications to that file. In particular, look for the unauthorized creation of new accounts, accounts with no passwords, or UID changes (especially UID 0) to existing accounts.

8. Check your system and network configuration files for unauthorized entries. In particular, look for '+' (plus sign) entries and inappropriate non-local host names in /etc/hosts.equiv, /etc/hosts.lpd, and in all .rhosts files (especially root, uucp, ftp, and other system accounts) on the system. These files should not be world-writable. Furthermore, confirm that these files existed prior to any intrusion and were not created by the intruder.

9. Look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by 'ls'), as these can be used to hide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory in a user's account with an unusual name, something like '...' or '.. ' (dot dot space) or '..^G' (dot dot control-G). Again, the find(1) program can be used to look for hidden files, for example:

find / -name ".. " -print -xdev

find / -name ".*" -print -xdev | cat -v

Also, files with names such as '.xx' and '.mail' have been used (that is, files that might appear to be normal).

10. Examine all machines on the local network when searching for signs of intrusion. Most of the time, if one host has been compromised, others on the network have been, too. This is especially true for networks where NIS is running or where hosts trust each other through the use of .rhosts files and/or /etc/hosts.equiv files. Also, check hosts for which your users share .rhosts access.

B. Review Other CERT Documents

1. For further information about the types of attack that have recently been reported to the CERT Coordination Center and for a list of new or updated files that are available for anonymous FTP, see our past

CERT Summaries, available in the directory

ftp://info.cert.org/pub/cert_summaries/

2. If you suspect that your system has been compromised, please review the suggested steps in "Steps for Recovering from a UNIX Root Compromise," available from

ftp://info.cert.org/pub/tech_tips/root_compromise

Also review other appropriate files in our tech_tips directory.

3. To report a computer security incident to the CERT Coordination Center, please complete and return a copy of our Incident Reporting Form, available from

ftp://info.cert.org/pub/incident_reporting_form

The information on the form helps us provide the best assistance, as it enables us to understand the scope of the incident, to determine if your incident may be related to any other incidents that have been reported to us, and to identify trends in intruder activities.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ASSIST is an element of the Defense Information Systems Agency (DISA), Global Operations and Security Center (GOSC), which provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".

___________________________

ASSIST CONTACT INFORMATION:

E-mail: assist@assist.mil

Phone: (800)-357-4231 (DSN 327-4700) 24 hour hotline

Fax: (703) 607-4735 (DSN 327-4735) Unclassified

ASSIST Bulletins, tools and other security related information are available from:

http://www.assist.mil/

ftp://ftp.assist.mil/

To be added to our mailing list for ASSIST bulletins, send your e-mail address to:

assist-request@assist.mil In the subject line, type:

SUBSCRIBE your-email-address

___________________________________

OTHER DOD CERT CONTACT INFORMATION:

Air Force CERT Phone: (800) 854-0187

Air Force CERT Email: afcert@afcert.csap.af.mil

Navy CIRT Phone: (800) 628-8893

Navy CIRT Email: navcirt@fiwc.navy.mil

Army CERT Phone: (888) 203-6332

Army CERT Email: acert@vulcan.belvoir.army.mil

_________________

ASSIST BULLETINS:

Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from ftp.assist.mil (IP address 199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided.

ASSIST uses Pretty Good Privacy (PGP) as the digital signature mechanism for bulletins. PGP incorporates the RSAREF™ Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP may be used for non-commercial purposes only. Instructions for downloading the PGP software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins.

Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes.

****************************************************************************

* *

The point of contact for NIPRNET security-related incidents is the *
ASSIST: *

* *

E-mail address: ASSIST@ASSIST.MIL *

* *

Telephone: 1-(800)-357-4231 (24 hours/day) *

* *

You may also contact the Security Coordination Center (SCC) at the *
NIC: *

* *

E-mail address: SCC@NIC.MIL *

* *

Telephone: 1-(800)-365-3642 *

* *

NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, *
Monday through Friday except on federal holidays. *

* *

****************************************************************************

PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.

This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.