Bug 7985 - This is the latest security report from the security office at the University of Utah.
This is the latest security report from the security office at the University...
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: linuxconf (Show other bugs)
6.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-12-24 13:00 EST by brian
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-02-10 14:30:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description brian 1999-12-24 13:00:42 EST
As you will read below, not all of this report is specific to linux.
Linuxconf is however a key part of this security problem.  I'm sending this
to you such that you will, if you are not already, be aware of this problem
that many leaving linuxconf active, as it is by default, are open for
intrusion.
-----BEGIN HERE------------------------------------------------------------

From: Institutional Security Office <iso@uusec.utah.edu>
Subject: URGENT: Attention all Unix and Network Administrators


Attention all Unix and Network Administrators,

The University of Utah Institutional Security Office has been noticing a
major influx in traffic, both inbound and outbound, looking for known
vulnerabilities in various Unix platforms.  This traffic increase has
resulted in the discovery of several Unix hosts on campus that have been
compromised and set up to act as a launching platform for a variety of
Denial of Service (DOS) attacks, via one or more of the following: SYN,
ICMP, SMURF, and UDP.  The known packages installed on these platforms are
one or more of the following hacks: BOB, trin00, and TFN. These packages
are true DOS packages, with the trin00 being the most elaborate.  The
potential of these packages running in parallel would bring any network to
a stand still, making the Morris worm look like a packet collision.

Since the end of July, we have been attempting to determine a machine
profile and fingerprint to assist in discovering machines that have been
compromised.  These attempts have been successful in many casees, but have
not, and will not, put an end to discovery of vulnerable machines.  In
early
December we became aware that previously discovered machines were part of
the distributed intruder tools trin00 and/or TFN.  We feel the clock may
run out at any time for widespread launch these tools, and we do not have
enough resources to identify, what is potentially several hundred, machines
on Campus that have been compromised.

We have a list of known daemons that are being hacked to acquire access to
a machine and have one or more of the distributed DOS packages installed.
If you are running any of these (unpatched) packages your machine has
probably already been compromised.

These known daemons are, but not limited to:
        nfsd
        sunrpc
        statd
        ttbdserved
        cmsd
        sadmind
        linux-config / tacnews
If you are running any of the above as distributed with your system, and
have not tripwired your binaries, you will need to look at your system.
Known trojaned programs include:
        inetd
        initd
        ls
        ps
        netstat
Known locations of DOS binaries include:
        /tmp/
        /usr/share/man/tmp
        /use/man/tmp
        /dev
        /proc
        various subdirectories like "...", ". ^H" dot-space-backspace.
Known DOS ports include:
        98              <-- Linux configuration port
        1337
        1524
        6969
        27665
        27444
        31335
In many cases crontab entries have been made to launch the DOS binaries.
The DOS binaries often are named 'ns', 'xterm', or other common UNIX
style name.

Please note the above information may not be complete.  If you find any
anomolies, please inform <iso@uusec.utah.edu>.
Comment 1 Trond Eivind Glomsrxd 2000-09-13 18:52:20 EDT
linuxconf network access is no longer started by default.

Note You need to log in before you can comment on or make changes to this bug.