[unisog] FWD: [from EDUCAUSE SECURITY list] Multiple UNIX compromises at Stanford (and UCSD)

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Apr 9 16:25:48 GMT 2004


David, I just had the privilege of visiting a Linux box that had been
compromised with the do_brk exploit.  I wish I had seen your message
sooner.  For whatever reason, the messages from unisog at sans.org are
being delayed in delivery to my e-mail account.

I'll get the word out to our campus now to alert them to this activity.

Thanks!

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: David Foster [mailto:foster at ncmir.ucsd.edu] 
Sent: Wednesday, April 07, 2004 10:20 AM
To: unisog at sans.org
Subject: [unisog] FWD: [from EDUCAUSE SECURITY list] Multiple UNIX
compromises at Stanford (and UCSD)


Anyone seeing signs of this on their Solaris and Linux systems?

Apparently we're seeing it at UCSD, though not within my own lab
so I can't comment on it.

Dave Foster

------- Forwarded Message

Date:         Tue, 6 Apr 2004 17:45:08 -0700
From: "Dr. Tina Bird" <tbird65 at stanford.edu>
To: SECURITY at LISTSERV.EDUCAUSE.EDU
Subject: [SECURITY] FW: Multiple UNIX compromises at Stanford

> -----Original Message-----
> From: owner-first-teams at first.org 
> [mailto:owner-first-teams at first.org] On Behalf Of Dr. Tina Bird
> Sent: Tuesday, April 06, 2004 5:41 PM
> To: first-teams at first.org
> Subject: Multiple UNIX compromises at Stanford
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi all -- Rather more disturbing to this old UNIX geek than 
> the rapid spread of Phatbot and its relatives is the 
> widespread, apparently co-ordinated attack being seen 
> targetting Linux and Solaris systems in higher education and 
> research organizations.  I've just released the following 
> alert to Stanford; please feel free to distribute the 
> information to your UNIX system administrators and other 
> interested parties.
> 
> The full text of this Security Alert is on line at 
>
http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html

Stanford, along with a large number of research institutions and high
performance computing centers, has become a target for some
sophisticated
Linux and Solaris attacks. An unknown attacker (or group) has
compromised
numerous multi-user Solaris and Linux computers on Stanford's campus
using a
variety of mechanisms. In most cases, the attacker gets access to a
machine
by cracking or sniffing passwords. Local user accounts are escalated to
root
privileges by triggering a variety of local exploits, including the
do_brk()
and mremap() exploits on Linux and the arbitrary kernel loading modules
and
passwd vulnerabilities on Solaris.

If you manage multi-user Linux or Solaris systems, please read the alert
referenced above and take the appropriate action to protect your systems
and
your users.

cheers?  tbird

- - --
Dr. Tina Bird
Information Security Services, Stanford University

http://securecomputing.stanford.edu/alert.html
http://www.loganalysis.org
http://vpn.shmoo.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)
Comment: Made with pgp4pine 1.76

iD8DBQFAc04dcoaZZ4u5dCIRAvL5AKDyN9OJAq6cp5vsnQP5VU8MQcw2rACfWSI+
fogoa1PK3od2vW9xajWuGZg=
=wT09
-----END PGP SIGNATURE-----


Participation and subscription information for this EDUCAUSE Discussion
Group 
discussion list can be found at http://www.educause.edu/cg/.

------- End of Forwarded Message


------------- End Forwarded Message -------------




  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   David Foster    National Center for Microscopy and Imaging Research
    Programmer/Analyst       University of California, San Diego
    dfoster[at]ucsd[dot]edu  Department of Neuroscience, Mail 0608
    (858) 534-7968           http://ncmir.ucsd.edu/
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself.  Therefore, all
progress
   depends on the unreasonable."   -- George Bernard Shaw



More information about the unisog mailing list