Hi Gurus,
This is not a specifically DU matter but I think it is of the interest
of all managers.
I am in a Institute of Physics and we have more than 100 machines
running DU, SunOS, AIX, linux, WinNT and plain Windows in our subnet.
Yesterday afternoon one of the pc's running linux was invaded by a
hacker who installed a program originally named "lins" (7 kb) and then
renamed as "httpd" and stored in /home/ / (a directory with blank
name under /home). He/she also installed at /dev the "device"
hdf014 (302 kb). Then started the fake httpd executable in
background as root. As a result, a ascii file named .fg was generated,
containing, guess what, all telnet and ftp logins with usernames and
respective passwords that occurred in all machines in our subnet from
that time on. I do not know if the fake httpd explores any vulnerability
of the real apache httpd daemons that were running in the linux machines
(later in the evening more 5 machines were targetted successfully) or
this was just a way to run the executable unnoticed, convered by a
common name. If it depends of apache or of any other name server daemon
then a way to diagnose its presence is by detecting two httpd's running
under the root account: one is the real and the other is the fake.
The other httpd's running under "nobody" apparently are not harmful.
Now imagine how dangereous this fake httpd is: any institution or
organization can have almost all passwords broken in a week or so
by one of such linux intruder.
We do not know what to do in order to defend ourselves other than
changing all passwords in all machines. Our DU workstations have C2
security and AIX ans SunOS have shadowed passwords. But the linux
pc's do not. So we are going to take care of that. The problem is
that any fragility in any machine is enough to destroy the rest.
Would you have any pointers for me? Have you faced such kind of
attack?
Best Wishes,
Oyanarte Portilho
Institute of Physics
University of Brasilia, Brazil
Received on Fri Jan 15 1999 - 20:05:33 NZDT