Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Hacking Techniques :: ciac-a1.txt

The Telnet Trojan



                Computer Incident Advisory Capability

                        Information Bulletin


                                                        October 9, 1989

                                                        Notice A-1

        CIAC (the Computer Incident Advisory Capability) has learned

of a series of attacks on a set of UNIX computers attached to the

Internet.  This series of attacks targets anonymous ftp to gain access

to the password file, then uses accounts from that file that use

easily guessed passwords to gain access to the machine.  Once access

is gained to the machine, a trojan horse is installed in the Telnet

program (as described in a previous CIAC bulletin) to record further

user accounts and passwords.  The TFTP facility has also been utilized

in this sequence of breakins.  This bulletin describes the nature of

the threat, and suggests a procedure to protect your computers.

        This is a limited distribution information bulletin to warn

your site of a series of hacker/cracker attacks on the Internet.  This

bulletin is being sent to you because our records indicate that your

site is connected to the Internet.  Please inform CIAC if this is not

true.  Also, if you are not the CPPM or CSSM for your site, will you

please promptly forward this bulletin to that person or persons?

        There has been a series of breakins into UNIX machines

connected to the Internet.  These breakins at first were largely into

systems in North and South Carolina, but they have spread rapidly.

They appear to be the work of a group of hackers with fairly

identifiable patterns of attack.  You should be aware of these attack

patterns, and should take measures described below to prevent breakins

at your site.

        The attackers are using anonymous ftp (the ability to use ftp

as a guest) to obtain copies of an encrypted password file for a

machine.  They then decrypt passwords, and use them to log into an

account on that machine.  They become a root user, then install the

trojan horse version of Telnet, about which CIAC alerted you nearly

two months ago.  This trojan horse collects passwords of Telnet users,

which the hackers then use to break into other machines.  The hackers

are also using .rhost and host.equiv to gain entry into other systems

once they have broken into a new machine.  The TFTP facility is also

used to gain access to a machine.

        The attackers have not been destroying files or damaging

systems.  To avoid being detected and/or monitored, however, they have

many times waited for several weeks or even longer after obtaining

passwords to break in to a system.  This threat seems to center around

systems that have not installed the distributed patches to already

known vulnerabilities in the UNIX operating system.

        CIAC recommends that you take three courses of action:

        1) Look for connections between machines in your network and

host machines that would not normally be connected to your site.  If

many of these connections exist, there is a strong possibility that

they may not be legitimate.

        Currently many of these unauthorized connections and attacks

have been using:

        - universities in North and South Carolina

        - universities in Boston

        - universities and computer companies in the California

          Berkeley/Palo Alto area 

Any unusual and unexplained activity from these locations are worth

special attention, as they are likely to be attacks.

        2) Look for the Telnet trojan horse, using the command:

           strings `which telnet` | grep  \@\(\#\) | grep  on/off

Any lines that are printed from this command indicate that you have

been affected by the trojan horse.  If you discover that you have been

affected by the trojan horse program, please contact CIAC for recovery


        3) If the host.equiv file contains a "+" unauthorized users

can gain entry into a system.  You should therefore inform system

managers that they should remove "+" from any host.equiv files.

        Please refer questions to:

        CIAC, Thomas Longstaff

        Lawrence Livermore National Laboratory

        P.O. Box 808


        Livermore, CA  94550

        (415) 423-4416 or (FTS) 543-4416


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH