I felt like like the follwing reply to this message is of interest to all
alpha-osf-managers...
Bob
---------- Forwarded message ----------
Date: Thu, 28 Aug 1997 11:31:50 -0400 (EDT)
From: Bob Frady <bob_at_after10.com>
To: flamand_at_ec-lille.fr
Subject: SECURITY FAILURE IN 4.0B
The script you found indicates you have had a hacker breakin. I recently
had the same. Look for files called: eggdrop, bounce, b, and look for
funny directories such as: ..., .pico, .mail.
If the is the same group that hit me, you'll probably find those files.
The also added .rhosts to user's home directories, added a user entry to
the password file with no password, added :0: group rights to all of the
users. I found evidence of mail bomb programs on the system and IP
spoofing utilities.
My advice is to immediately, stop any access to the system, change ALL
users' passwords, implement enhanced security, verify the integrity of all
the system's binaries, check your password file for unauthorized accounts,
check your group file, and check ALL users' directories for unauthorized
or modified .rhost files. Upgrade any older utlities such as sendmail,
bind, etc. And do a chmod 0 /usr/sbin/dop to fix the dop security hole. If
you check the alpha managers archive, there is information about this
particular hack...
Check
ftp://info.cert.org, they have a checklist for a root compromise.
Good Luck! I Spent about 4 days getting everything cleaned and fixed...
Bob
Received on Thu Aug 28 1997 - 17:56:57 NZST