[34] in Security FYI
New IRIX security threat
daemon@ATHENA.MIT.EDU (Bob Mahoney)
Mon Feb 14 12:45:47 2000
Mime-Version: 1.0
Message-Id: <v04220805b4cdec3b8170@[18.177.0.98]>
Date: Mon, 14 Feb 2000 12:45:04 -0500
To: security-fyi@mit.edu
From: Bob Mahoney <bobmah@MIT.EDU>
Cc: security-internal@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
The Security Team has been investigating a series of recent breakins
to IRIX machines running version 6.2 and earlier. We do not yet know
the mechanism involved, but we want to share what we currently do
know. Note that this problem may exist on more recent versions as
well, although that has not yet been observed.
These breakins have been observed on machines where all well known
compromises have been patched. The most obvious indicator is the
presence of the account "rox" in the /etc/passwd file or as
an icon on the login screen.
If you find this account on your system, you should disable it.
Before disabling the account, please send a copy of the line with the
rox account in it from the /etc/passwd file alone with the the file
/etc/inet.conf and the output of the command chkconfig to
net-security@mit.edu
To disable the account:
place a * in the password field of the line in /etc/passwd. The
password field is the set of characters after rox: For example:
For example, to disable the following account:
rox:akFJdxenKnyS.:6800:20:LsD:/tmp/.new:/bin/csh
change the string akFJdxenKnyS. to a *, so the line appears as follows:
rox:*:6800:20:LsD:/tmp/.new:/bin/csh
Also, in your email, please indicate whether or not the "rox" account
had any files in it -- this would be in the directory /tmp/.new and
the name of those files.
Thank you for your cooperation.
- -Bob Mahoney, for the Network Security Team
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQCVAwUBOKg/LCbWm6ZidLmFAQEtcAP/YIfX5rViUkFZyb4zHMrN5nYT1tzGDKEB
3FVAPFwonJvQ59oTU1/C9pwf9Ccm4gfEu+cbnFGAxAhDoNzT4l/wls771miRr1eT
9aeZ9czSzTANNPOSPwPHZJvDk2jkLjSaue+VVMQ9FCtO7qaRxX/AqqGeIGS4eMCW
KE3KOEgD4nM=
=e2No
-----END PGP SIGNATURE-----
