[497] in linux-security and linux-alert archive
'ypupdated' hole, system crackers.
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Sun Dec 3 20:03:34 1995
Date: Sun, 3 Dec 1995 19:28:20 -0500
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu,
bugtraq@crimelab.com, big-linux@netspace.org
There is a hole, apparently quite serious, in the NIS program
'ypupdated'. CERT, among others, has confirmed the existence of a hole,
and it appears to be under active exploitation by crackers who use it as
one of many methods to illicitly gain privileged access to
systems/sites.
If you are running it on any of your systems, you should probably kill
it until this issue is resolved/patched. NIS server systems running
SunOS 4.1.x variants seem to be the favored target systems in this
current series of attacks.
Also, please check the directory /usr/share/src/sun/sunview1/examples/fonts
for signs of cracker tools on any Suns that you administrate; this
appears to be a favorite area for hiding "kits" and sniffers in a
currently-active attack pattern. If you find anything in that area
(even the existence of the "fonts" sub-directory should be considered
suspicious), please immediately dump the area to tape and contact
juphoff@nrao.edu and/or cert@cert.org; it is likely that the system has
been badly compromised.
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
