Bug 7985
| Summary: | This is the latest security report from the security office at the University of Utah. | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | brian |
| Component: | linuxconf | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2000-02-10 19:30:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
linuxconf network access is no longer started by default. |
As you will read below, not all of this report is specific to linux. Linuxconf is however a key part of this security problem. I'm sending this to you such that you will, if you are not already, be aware of this problem that many leaving linuxconf active, as it is by default, are open for intrusion. -----BEGIN HERE------------------------------------------------------------ From: Institutional Security Office <iso.edu> Subject: URGENT: Attention all Unix and Network Administrators Attention all Unix and Network Administrators, The University of Utah Institutional Security Office has been noticing a major influx in traffic, both inbound and outbound, looking for known vulnerabilities in various Unix platforms. This traffic increase has resulted in the discovery of several Unix hosts on campus that have been compromised and set up to act as a launching platform for a variety of Denial of Service (DOS) attacks, via one or more of the following: SYN, ICMP, SMURF, and UDP. The known packages installed on these platforms are one or more of the following hacks: BOB, trin00, and TFN. These packages are true DOS packages, with the trin00 being the most elaborate. The potential of these packages running in parallel would bring any network to a stand still, making the Morris worm look like a packet collision. Since the end of July, we have been attempting to determine a machine profile and fingerprint to assist in discovering machines that have been compromised. These attempts have been successful in many casees, but have not, and will not, put an end to discovery of vulnerable machines. In early December we became aware that previously discovered machines were part of the distributed intruder tools trin00 and/or TFN. We feel the clock may run out at any time for widespread launch these tools, and we do not have enough resources to identify, what is potentially several hundred, machines on Campus that have been compromised. We have a list of known daemons that are being hacked to acquire access to a machine and have one or more of the distributed DOS packages installed. If you are running any of these (unpatched) packages your machine has probably already been compromised. These known daemons are, but not limited to: nfsd sunrpc statd ttbdserved cmsd sadmind linux-config / tacnews If you are running any of the above as distributed with your system, and have not tripwired your binaries, you will need to look at your system. Known trojaned programs include: inetd initd ls ps netstat Known locations of DOS binaries include: /tmp/ /usr/share/man/tmp /use/man/tmp /dev /proc various subdirectories like "...", ". ^H" dot-space-backspace. Known DOS ports include: 98 <-- Linux configuration port 1337 1524 6969 27665 27444 31335 In many cases crontab entries have been made to launch the DOS binaries. The DOS binaries often are named 'ns', 'xterm', or other common UNIX style name. Please note the above information may not be complete. If you find any anomolies, please inform <iso.edu>.