From: Hironori Ito (hito@rcf.rhic.bnl.gov)
Date: Fri Apr 04 2003 - 14:42:49 EST
Hello. I just got a warning that a password (or many passowords) at CERN has been sniffed (stolen) during a period of March 18-30. If you logged on to CERN machine during that time, it is advised to change your password for BNL account (as well as anywhere else). For more detail including a way to find if your system is affected, read the below. Hiro > > > >It has become apparent that a major security break-in is affecting the > >CERN site. > >It is also likely that our collaborating sites are affected. I give > >details below. > > > >We have recently discovered several compromised Linux systems running > >the "SucKIT" > >rootkit and collecting passwords typed by connected users. From the > >system files we > >believe the compromises happened between 18 - 30 March 2003, most likely > >using the > >ptrace exploit fixed in the most recent linux kernel versions. > > > >We strongly suggest that you check linux systems on your sites for the > >SucKIT > >rootkit. This rootkit can be very difficult to detect. The particular > >versions seen > >at CERN have been detected with the recipe below. > > > >We have contacted users whose passwords have been found, but now suspect > >that other > >systems since upgraded, were also compromised at that time. For these we > >have no > >knowledge of passwords possibly collected. We therefore advise you to > >warn users > >connected from/to CERN between 18-30 March to change their passwords > >both at > >your site as well as at CERN. It would obviously be wise to first check > >your > >systems for the SucKIT rootkit. > > > >Thanks for your collaboration. > > > >Denise Heagerty, > >CERN Computer Security Officer. > > > >Recipe to check for the SucKIT rootkit > >-------------------------------------- > > > >Here is a simple recipe to detect the SucKIT rootkit, as it has been > >found on CERN machines. It may miss some other types of installations > >but it should produce no false positive. (The URL for the rootkit is at > >http://sd.g-art.nl/sk). > > > >Just run: > > # ls -li /sbin/init /sbin/telinit > > > >Here is the output on a normal machine: > > 304579 -rwxr-xr-x 1 root root 26920 Mar 14 2002 /sbin/init* > > 304587 lrwxrwxrwx 1 root root 4 Dec 2 13:18 /sbin/telinit > >-> init* > > > >Here is the output on a compromised machine: > > 85133 -rwxr-xr-x 1 root root 25636 Mar 26 20:03 /sbin/init > > 85133 -rwxr-xr-x 1 root root 25636 Mar 26 20:03 /sbin/telinit > > > >In the second case, telinit is a real file (not a symlink) and its > >time is the time of the rootkit installation. Note also the incorrect > >information: both files have the same inode number but a reference > >count of one, this comes from the kernel module hiding the real > >information.
This archive was generated by hypermail 2.1.5 : Fri Apr 04 2003 - 14:46:56 EST