[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Telnet Breakin Warning

Title: Telnet Breakin Warning
Released by: CERT
Date: 16th August 1989
Printable version: Click here

Hash: SHA1


Last Revised: September 16, 1997

                Attached copyright statement

                                 CERT Advisory

                                August 16, 1989

                            Telnet Breakin Warning

- ----------------------------------------------------------------------------

Many computers connected to the Internet have recently experienced

unauthorized system activity.  Investigation shows that the activity

has occurred for several months and is spreading.  Several UNIX

computers have had their "telnet" programs illicitly replaced with

versions of "telnet" which log outgoing login sessions (including

usernames and passwords to remote systems).  It appears that access

has been gained to many of the machines which have appeared in some of

these session logs.  (As a first step, frequent telnet users should

change their passwords immediately.)  While there is no cause for

panic, there are a number of things that system administrators can do

to detect whether the security on their machines has been compromised

using this approach and to tighten security on their systems where

necessary.  At a minimum, all UNIX site administrators should do the


o Test telnet for unauthorized changes by using the UNIX "strings"

  command to search for path/filenames of possible log files.  Affected

  sites have noticed that their telnet programs were logging information

  in user accounts under directory names such as "..." and ".mail".

In general, we suggest that site administrators be attentive to

configuration management issues.  These include the following:

o Test authenticity of critical programs - Any program with access to

  the network (e.g., the TCP/IP suite) or with access to usernames and

  passwords should be periodically tested for unauthorized changes.

  Such a test can be done by comparing checksums of on-line copies of

  these programs to checksums of original copies.  (Checksums can be

  calculated with the UNIX "sum" command.)  Alternatively, these

  programs can be periodically reloaded from original tapes.

o Privileged programs - Programs that grant privileges to users (e.g.,

  setuid root programs/shells in UNIX) can be exploited to gain

  unrestricted access to systems.  System administrators should watch

  for such programs being placed in places such as /tmp and /usr/tmp (on

  UNIX systems).  A common malicious practice is to place a setuid shell

  (sh or csh) in the /tmp directory, thus creating a "back door" whereby

  any user can gain privileged system access.

o Monitor system logs - System access logs should be periodically

  scanned (e.g., via UNIX "last" command) for suspicious or unlikely

  system activity.

o Terminal servers - Terminal servers with unrestricted network access

  (that is, terminal servers which allow users to connect to and from

  any system on the Internet) are frequently used to camouflage network

  connections, making it difficult to track unauthorized activity.

  Most popular terminal servers can be configured to restrict network

  access to and from local hosts.

o Passwords - Guest accounts and accounts with trivial passwords

  (e.g., username=password, password=none) are common targets.  System

  administrators should make sure that all accounts are password

  protected and encourage users to use acceptable passwords as well as

  to change their passwords periodically, as a general practice.  For

  more information on passwords, see Federal Information Processing

  Standard Publication (FIPS PUB) 112, available from the National

  Technical Information Service, U.S. Department of Commerce,

  Springfield, VA 22161.

o Anonymous file transfer - Unrestricted file transfer access to a

  system can be exploited to obtain sensitive files such as the UNIX

  /etc/passwd file.  If used, TFTP (Trivial File Transfer Protocol -

  which requires no username/password authentication) should always be

  configured to run as a non-privileged user and "chroot" to a file

  structure where the remote user cannot transfer the system /etc/passwd

  file.  Anonymous FTP, too, should not allow the remote user to access

  this file, or any other critical system file.  Configuring these

  facilities to "chroot" limits file access to a localized directory


o Apply fixes - Many of the old "holes" in UNIX have been closed.

  Check with your vendor and install all of the latest fixes.

If system administrators do discover any unauthorized system activity,

they are urged to contact the Computer Emergency Response Team (CERT).

- -----------------------------------------------------------------------------

Computer Emergency Response Team (CERT)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Internet: cert@cert.org

Telephone: 412-268-7090 24-hour hotline: CERT personnel answer

           7:30a.m.-6:00p.m. EST, on call for

           emergencies other hours.

Past advisories and other information are available for anonymous ftp

from cert.org (

- ----------------------------------------------------------------------------

Copyright 1989 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://info.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision History:

September 16,1997  Attached copyright statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.