SDSC Security Bulletin 97.06 Original Issue Date: 1997/11/13 Version: $Id: 97.06.mathgrad.ucsd,v 1.4 1997/11/13 19:06:08 tep Exp $ Topic: compromised systems at UCSD ________________________________________________________________________________ There was a compromise of at least two machines at UCSD's math department. The two known-compromised machines are mathgrad.ucsd.edu and euclid.ucsd.edu. This incident included "root compromises" and the installation of password sniffers on at least two hosts. It is also possible that "Trojan Horse" versions of login, telnetd, etc. could have been installed. It is known that plaintext passwords for numerous accounts at several sites were collected by the sniffer(s), and that these two machines were also used to launch probes and attacks at several sites. If you have accessed SDSC or other hosts from these two machines or via network paths that traverse the networks on which these machines reside, you are *STRONGLY* advised to change your passwords immediately, as well as begin using "secure" access methods such as Kerberos and SSH to access your SDSC and NPACI accounts. This warning applies only to the two hosts listed, and the 132.239.145.* subnet at UCSD. The time frame of this incident is approximately 1 Oct 1997 until 1 November 1997. I. Description At some point in early October (possibly earlier), intruders succeeded in gaining root access on either mathgrad.ucsd.edu or euclid.ucsd.edu, via some (as yet unknown) method. They were then able to install a network password sniffer. The sniffer (probably) then led to the root compromise of the other host and installation of another sniffer. II. Impact It is known that several accounts at several sites had their account information, including plaintext passwords, gathered by one or more password sniffers, as their users accessed these systems from the two compromised UCSD systems. These two hosts were also used to probe and attempt intrusions at several other sites. III. Solution All users who have accessed SDSC (or other) computer systems from these two UCSD systems (or vice versa) *must* change their passwords on any system for which the plaintext passwords were used from these two hosts, or across the 132.249.145.* subnet. SDSC makes several tools available to avoid password sniffing attacks, and all users are encouraged to use them. *** The use of non-plaintext-password user authentication (such as SSH) will be mandatory for access to NPACI resources after 1 April 1998. Users are *strongly* encouraged to use SSH (or Kerberos, where available) for access to SDSC computers. *** Kerberos, Secure Shell (SSH), S/Key and SecureNetKey (SNK) "smart" cards are all supported at SDSC. For all of these, the software is freely redistributable and widely available (subject to US cryptographic export controls). SNK cards are available for purchase (approx US$40) or may be made available to some SDSC users at no charge. Kerberos and SSH servers are running on all workstations and all supercomputers at SDSC. (Note: SSH and Kerberos are not currently available for t94.sdsc.edu, but will be installed as soon as the ports are complete.) Kerberos client software is now available at SDSC in /usr/local/apps/krb5 and pre-registration is required. Users must acquire SSH client software for themselves at this time. There is no special registration required to use SSH. Information on SSH is available at: http://www.sdsc.edu/projects/ssh/ssh.html For general information on SDSC Security Activities, see http://www.sdsc.edu/Security/References/security_faq.stable IV. Detecting an attack All users should ALWAYS check the "last login time and place" which is presented each time they login to any UNIX system. For example: ------------ San Diego Supercomputer Center CRAY C90 with 8 CPUs and 256 MW running UNICOS 9.0.1ai Last successful login was : Tue Apr 8 21:06:32 from galt.sdsc.edu ------------ If this time seems unusual, or the host is not what you expect, please contact SDSC Operations at +1.619.534.5090 immediately. SDSC Operations is available 24 hours a day, and can page the on-call security person if necessary. If you find unusual files or directories in your account, or have files that have been moved or removed, or other reason to believe that someone has made use of your account, please contact SDSC. V. Acknowledgments Information in this bulletin was produced by various sources at UCSD and Tom Perrine at SDSC. San Diego Supercomputer Center: http://www.sdsc.edu Pacific Institute of Computer Security: http://www.sdsc.edu/GatherScatter/GSspring96/perrine.html San Diego Regional Information Watch: http://www.sdriw.org VI. Disclaimers Copyright 1997 San Diego Supercomputer Center. The material in this security alert is for the use of the NPACI and SDSC user community, and may NOT be reproduced or distributed, without prior written permission, in whole or in part.