INTUDERS ARE HERE

Frank Swift @ Home (uncl@llnl.gov)
Thu, 5 Jan 1995 21:56:49 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark HYDE @GEO: "Introduction"
Previous message: Joerg Maass: "Re: IDS systems available?"

1.  Apology in advance to those who receive more than once; howsomever,
that's what the delete key is for.

2.  Down and Dirty:  Mid-December, someone started up in texas, jumped to a
commercial site on the east coast, jumped to one of our computers, jumped
to an .edu site near hear and then went to a commercial site and trashed
some files.  That's history.

3.  On 15 December, I sent the following to the onsite administraters:
"What's going on:  A couple of systems have been penetrated here and at
other National Laboratory sites.  Some are suspected of sniffers and
trojaned login files.  Some .log files were truncated.  CSO's [LLNL
Computer Security Organization]damage assessment is underway now.  What we
specifically know at this point was that the individual logged in as Root,
deleted log files and the application that was supposed to watch them.  The
source appears to be someone who found a security hole in a major network
provider and was busy for a while until the configuration management
software detected an error.

Before the "what line"  gets flooded, lets get back to the square one basic
good business practice checklist:

a.  all patches installed?
b.  mininum  numbers for root access ?
c.  smart card or one-time pass word for root access?
d.  passwords changed recently?
e.  checked configuration?
f.  proactive security management?
g.  checked for sniffers?
h.  deleted dormant/gone users?
i.  reviewed the CSO hacker workgroup report?
j.  know where your sensitive stuff is and how well it is protected?

[..] (who to call at LLNL)

Make sure Computer Security at LLNL is informed of our problems; we can't
help you solve them if we are not told.  Use applications such as SPI 3.2.1
(available only to DOD/DOE Sites) Tripwire, XWatch and Watch.  Be more
observant of your log and wtmp files.  Remember, it's the season to expect
unexpected 'presents'."

4.  Today, I received DDN Bulletin 9501 which reported that there have been
an increase in reports of root compromises caused by intruders using tools
to exploit a number of Network File System (NFS) vulnerabilities.  Sound
familiar?

5.  The post holiday season is probably a good time to review some of our
"orphans" out there.  They are the ones that traditionally get had.  Check
'em out.

6.  I'm hot now!  It seems that something has been going on for about two
months and I've been left in the dark again until one of my systems have
been had.  Have any of you experienced NFS, root grabs, increase in Sniffer
activity, or automated attacks?  Sure was awful damn quiet for a
traditional holiday vacation period.  ANYONE want to share anything?  I
thought that's what we were all about:  protecting ourselves, our data, our
users and our customers.

CHECK THOSE LOGS AND WTMP FILES
frank


Frank Swift L-321 (Sent from Home)
Unclassified Computer Security Coordinator
Lawrence Livermore National Laboratory (LLNL)
7000 East Avenue L-321 Livermore CA 94550-9516
Voice:  (510) 422-1463  FAX:  (510) 423-0913

Next message: Mark HYDE @GEO: "Introduction"
Previous message: Joerg Maass: "Re: IDS systems available?"