[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : DEC/Ultrix 3.0 Systems

Title: DEC/Ultrix 3.0 Systems
Released by: CERT
Date: 17th October 1989
Printable version: Click here

Hash: SHA1


Last Revised: September 17, 1997

                Attached copyright statement    

                                 CERT Advisory

                                October 17, 1989

                             DEC/Ultrix 3.0 Systems

- -----------------------------------------------------------------------------

Recently, the CERT/CC has been working with several Unix sites that have

experienced breakins.  Running tftpd, accounts with guessable passwords

or no passwords, and known security holes not being patched have been the

bulk of the problems.

The intruder, once in, gains root access and replaces key programs

with ones that create log files which contain accounts and passwords in

clear text.  The intruder then returns and collects the file.  By using

accounts which are trusted on other systems the intruder then installs

replacement programs which start logging.

There have been many postings about the problem from several other net

users.  In addition to looking for setuid root programs in users' home

directories, hidden directories '..  ' (dot dot space space), and a modified

telnet program, we have received two reports from Ultrix 3.0 sites that

the intruders are replacing the /usr/bin/login program.  The Ultrix security

hole being used in these attacks is only found in Ultrix 3.0.

Suggested steps:

        1) Check for a bogus /usr/bin/login.  The sum program reports:

                27379    67     for VAX/Ultrix 3.0

        2) Check for a bogus /usr/etc/telnetd.  The sum program reports:

                23552    47     for VAX/Ultrix 3.0

        3) Look for .savacct in either /usr/etc or in users' directories.

           This may be the file that the new login program creates.  It

           could have a different name on your system.

        4) Upgrade to Ultrix 3.1 ASAP.

        5) Monitor accounts for users having passwords that can be found in

           the /usr/dict/words file or have simple passwords like a persons

           name or their account name.

        6) Search through the file system for programs that are setuid root.

        7) Disable or modify the tftpd program so that anonymous access to

           the file system is prevented.

If you find that a system that has been broken into,  changing the password

on the compromised account is not sufficient.  The intruders do remove copies

of the /etc/passwd file in order to break the remaining passwords.  It is best

to change all of the passwords at one time.  This will prevent the intruders

from using another account.

Please alert CERT if you do find a problem.

- -----------------------------------------------------------------------------

Computer Emergency Response Team (CERT)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Internet: cert@cert.org

Telephone: 412-268-7090 24-hour hotline: CERT personnel answer

           7:30a.m.-6:00p.m. EST, on call for

           emergencies other hours.

Past advisories and other information are available for anonymous ftp

from cert.org (

- ----------------------------------------------------------------------------

Copyright 1989 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision history:

September 17, 1997  Attached copyright statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.