As you will read below, not all of this report is specific to linux.
Linuxconf is however a key part of this security problem. I'm sending this
to you such that you will, if you are not already, be aware of this problem
that many leaving linuxconf active, as it is by default, are open for
From: Institutional Security Office <iso.edu>
Subject: URGENT: Attention all Unix and Network Administrators
Attention all Unix and Network Administrators,
The University of Utah Institutional Security Office has been noticing a
major influx in traffic, both inbound and outbound, looking for known
vulnerabilities in various Unix platforms. This traffic increase has
resulted in the discovery of several Unix hosts on campus that have been
compromised and set up to act as a launching platform for a variety of
Denial of Service (DOS) attacks, via one or more of the following: SYN,
ICMP, SMURF, and UDP. The known packages installed on these platforms are
one or more of the following hacks: BOB, trin00, and TFN. These packages
are true DOS packages, with the trin00 being the most elaborate. The
potential of these packages running in parallel would bring any network to
a stand still, making the Morris worm look like a packet collision.
Since the end of July, we have been attempting to determine a machine
profile and fingerprint to assist in discovering machines that have been
compromised. These attempts have been successful in many casees, but have
not, and will not, put an end to discovery of vulnerable machines. In
December we became aware that previously discovered machines were part of
the distributed intruder tools trin00 and/or TFN. We feel the clock may
run out at any time for widespread launch these tools, and we do not have
enough resources to identify, what is potentially several hundred, machines
on Campus that have been compromised.
We have a list of known daemons that are being hacked to acquire access to
a machine and have one or more of the distributed DOS packages installed.
If you are running any of these (unpatched) packages your machine has
probably already been compromised.
These known daemons are, but not limited to:
linux-config / tacnews
If you are running any of the above as distributed with your system, and
have not tripwired your binaries, you will need to look at your system.
Known trojaned programs include:
Known locations of DOS binaries include:
various subdirectories like "...", ". ^H" dot-space-backspace.
Known DOS ports include:
98 <-- Linux configuration port
In many cases crontab entries have been made to launch the DOS binaries.
The DOS binaries often are named 'ns', 'xterm', or other common UNIX
Please note the above information may not be complete. If you find any
anomolies, please inform <iso.edu>.
linuxconf network access is no longer started by default.