1. Apology in advance to those who receive more than once; howsomever, that's what the delete key is for. 2. Down and Dirty: Mid-December, someone started up in texas, jumped to a commercial site on the east coast, jumped to one of our computers, jumped to an .edu site near hear and then went to a commercial site and trashed some files. That's history. 3. On 15 December, I sent the following to the onsite administraters: "What's going on: A couple of systems have been penetrated here and at other National Laboratory sites. Some are suspected of sniffers and trojaned login files. Some .log files were truncated. CSO's [LLNL Computer Security Organization]damage assessment is underway now. What we specifically know at this point was that the individual logged in as Root, deleted log files and the application that was supposed to watch them. The source appears to be someone who found a security hole in a major network provider and was busy for a while until the configuration management software detected an error. Before the "what line" gets flooded, lets get back to the square one basic good business practice checklist: a. all patches installed? b. mininum numbers for root access ? c. smart card or one-time pass word for root access? d. passwords changed recently? e. checked configuration? f. proactive security management? g. checked for sniffers? h. deleted dormant/gone users? i. reviewed the CSO hacker workgroup report? j. know where your sensitive stuff is and how well it is protected? [..] (who to call at LLNL) Make sure Computer Security at LLNL is informed of our problems; we can't help you solve them if we are not told. Use applications such as SPI 3.2.1 (available only to DOD/DOE Sites) Tripwire, XWatch and Watch. Be more observant of your log and wtmp files. Remember, it's the season to expect unexpected 'presents'." 4. Today, I received DDN Bulletin 9501 which reported that there have been an increase in reports of root compromises caused by intruders using tools to exploit a number of Network File System (NFS) vulnerabilities. Sound familiar? 5. The post holiday season is probably a good time to review some of our "orphans" out there. They are the ones that traditionally get had. Check 'em out. 6. I'm hot now! It seems that something has been going on for about two months and I've been left in the dark again until one of my systems have been had. Have any of you experienced NFS, root grabs, increase in Sniffer activity, or automated attacks? Sure was awful damn quiet for a traditional holiday vacation period. ANYONE want to share anything? I thought that's what we were all about: protecting ourselves, our data, our users and our customers. CHECK THOSE LOGS AND WTMP FILES frank Frank Swift L-321 (Sent from Home) Unclassified Computer Security Coordinator Lawrence Livermore National Laboratory (LLNL) 7000 East Avenue L-321 Livermore CA 94550-9516 Voice: (510) 422-1463 FAX: (510) 423-0913