[10101] in Athena Bugs
This landed in my mailbox and Marc said I should forward it.
daemon@ATHENA.MIT.EDU (Christopher Provenzano)
Sun Nov 29 18:18:21 1992
To: bugs@Athena.MIT.EDU
Date: Sun, 29 Nov 92 18:16:53 EST
From: Christopher Provenzano <proven@Athena.MIT.EDU>
------- Forwarded Message
Received: from ATHENA-AS-WELL.MIT.EDU by po7.MIT.EDU (5.61/4.7) id AA25473; Tue, 24 Nov 92 15:54:40 EST
Received: from ceme.eng.umd.edu by Athena.MIT.EDU with SMTP
id AA26491; Tue, 24 Nov 92 15:54:37 EST
Received: from bacchus.eng.umd.edu
by ceme.eng.umd.edu (5.65c/IDA-1.4.4) with SMTP
id AA09893; Tue, 24 Nov 1992 15:54:30 -0500
Rcpt to:mailed to <proven@ceme.eng.umd.edu>
Received: from umd5.umd.edu
by bacchus.eng.umd.edu (5.65c/IDA-1.4.4) with SMTP
id AA18903; Tue, 24 Nov 1992 15:54:28 -0500
Rcpt to:mailed to <proven@eng.umd.edu>
Received: from falstaff.umd.edu by umd5.umd.edu id <AA02195@umd5.umd.edu>; Tue, 24 Nov 92 15:52:21 -0500
From: Kathryn M. Orhelein <kathy@umd5.umd.edu>
Received: by falstaff.umd.edu id <AA14397@falstaff.umd.edu>; Tue, 24 Nov 92 15:52:15 -0500
Date: Tue, 24 Nov 92 15:52:15 -0500
Message-Id: <9211242052.AA14397@falstaff.umd.edu>
To: esl-ultrix-mgrs@umd5.umd.edu
Nov 24, 1992
To: DEC ESL Ultrix Managers
From: Kathy Orhelein
esl-ultrix-support@umail
x52961
Subj: URGENT Ultrix Notice #5 ***** T H I S I S I M P O R T A N T *****
There is a serious security problem on Ultrix 4.2a systems that involves
/usr/ucb/rdist. There has been a breakin using rdist which replaced
/usr/ucb/telnet with a modified version that records userids and passwords.
If you are running Ultrix 4.2a, you should check your system to see if
anything has been changed and replace rdist. As soon as possible, you
should upgrade to 4.2b. 4.2b is a set of security patches.
1. To check your system for modified /bin/sh:
# ls -alg /bin/sh
-rwxr-xr-x 1 root system 45056 Nov 15 1991 /bin/sh
a corrupted system will likely have the setuid bit set.
-rwsr-xr-x 1 root system 45056 Nov 15 1991 /bin/sh
if so, change it
# chmod 755 /bin/sh
2. Check your entire system for other setuid programs owned by root.
The command to check for setuid programs is /etc/ncheck. For
instance,
/etc/ncheck -s /dev/rz0a | grep -v /dev
Our systems lists the following programs.
2108 /bin/ps
2167 /bin/fsck
2175 /bin/rrestore
You should run this on every local filesystem on your system.
You should check your systems daily for setuid programs and check
any differences from the previous day. The following is an example
from our daily run.
d=/usr/adm
echo "checking setuid files in root filesystem:"
/etc/ncheck -s `awk -F: '$2=="/" {print $1}' /etc/fstab` |
grep -v ' /dev/' > $d/check.today
chmod 400 $d/check.today
if [ -f $d/check.bak ]; then :; else touch $d/check.bak; fi
if cmp -s $d/check.bak $d/check.today 2> /dev/null; then :; else
echo "*** New setuid files in root filesystem:"
diff $d/check.bak $d/check.today
mv $d/check.bak $d/check.bak2
mv $d/check.today $d/check.bak
fi
3. You can tell if you telnet has been changed by checking the checksum.
# sum /usr/ucb/telnet
43715 168
The checksum should be 43715. If not, replace it. The 4.2a telnet
can be anonymous ftp'd from falstaff.umd.edu, and is located in the
pub directory as telnet.4.2a. It should be placed in /usr/ucb.
# ls -alg /usr/ucb/telnet
-rwxr-xr-x 1 bin bin 172032 Nov 15 1991 /usr/ucb/telnet
4. The rdist program should be replaced with the fixed version (from 4.2b).
It is currently anonymous ftp'able from falstaff.umd.edu, and is
located in the pub directory as rdist.4.2b. It should be placed in
/usr/ucb.
# ls -alg /usr/ucb/rdist
-rwsr-x--x 1 root system 172032 Nov 24 13:21 /usr/ucb/rdist
If you have any questions, please call.
Kathy Orhelein x52961
------- End of Forwarded Message