ITEM: I3143L

Intruder on the system. Security violation.


An intruder on our system walled a threatening message today.
The hacker broadcast the following message this morning:

        Beware of Cavalier!
        I've come to crash your pitiful system

Do you have to be root to use the 'wall' command?  What can I do 
to check the system for any damaging files or events that he may 
have done?  How can I secure my system?


Checked all the cron and at jobs.  
There was nothing unusual in cron.

Going into /etc/security/lastlog we can see that he came in on
tty1, which is the modem line.  The last time he logged in was
766165066 (which is the time in seconds since unix was created).  It
computes out to be about 23 minutes ago ( Subtracting it from the last
time I logged in and dividing by 60 to get minutes ).

We then tried to look at the /var/adm/wtmp, but it wasn't there.
We tried to view it with /usr/sbin/acct/fwtmp \< /var/adm/wtmp.
It said it couldn't find wtmp.  A few minutes later it couldn't 
find fwtmp.  We tried to use 'which fwtmp', but it couldn't find
'which' either.  

Also while we were on the system he ran 'ps -eaf' and saw that a 
root user was changing the password for guest.  There are some 
serious problems happening.  

I advised the customer to set up auditing and/or accounting, and 
have a current mksysb.

Beware of extra files with the setuid bit set.  Specially, any type
of shells.

Faxing the following:


*******  Call the FBI.  This is a serious crime.  ******* 


 I suggest you use 'find' to document his system today, run periodic
 'find's and compare results to 'find' files that are being modified.

 I suggest removing .rhosts and /etc/hosts.equiv from the system or at
 least limit and monitor their use aggressively.

 Turn on auditing and/or accounting.

 I refer you to the sysck command and /etc/security/sysck.cfg as an
 "audit" tool. Any information that you gather to be used as a benchmark
 should be removed from the system so that it is not tampered with by the

 There are some good publications on securing your system.

 I recommend the O' Reilly Practical UNIX Security book.  These are good 
 starts for the beginner.

 The book UNIX System Security by Rik Farrow, which is published by
 Addison-Wesley out of Reading, MA.

 I suggest that you look at RAXCOs security toolbox and a product called 
 Fortress.  The information below is accurate as of April 22, 1994. 

 AXCO Security Toolkit

 Los Altos Technology 
 This product is currently caught up in the legal system.
 The company that owns the rights to it (Woodside) is going bankrupt.
 The phone number listed is for Los Altos Technology which is the
 company that actually wrote the application.

 Stalker security software is a system accountability tool that manages
 system audit files, generates standard reports on user activities and
 resource access, and detects misuses and intrusions. It also has a
 query function to filter through voluminous audit trail data for
 specified activities. Stalker's graphical user interface is designed
 to follow the natural workflow of a typical audit configuration and
 analysis session.
 For further information, please contact:

      Sid Covington
      Sales Manager
      Haystack Labs
      8920 Business Park Drive
      Austin, TX 78759

      (512) 343-2552 (voice)
      (512) 794-9997 (fax)

 ** Stalker is a trademark of Haystack Labs, Inc.

 A few other references for you:

 American Society for Industrial Security 1655 North Fort Meyer Drive -
 Suite 1200 Arlington, VA 22209 (703)522-5800

 Computer Security Buyer's Guide from CSI Computer Security Institute
 600 Harrison Street San Francisco, CA 94107 (415)267-7666

 Computer Emergency Response Team (CERT) I know they put out bulletins,
 but have you called them? (412)268-7090.

 You may want to try and get COPS.  COPS, according to Practical UNIX
 Security, " a collection of shell scripts and C programs that
 perform checks of your system to determine whether certain weaknesses
 are present."  Practical UNIX Security outlines some of the checks it
 makes.  You can get a white paper called "The COPS Security Checker
 System," by Dan Farmer and Eugene H. Spafford by writing a copy of
 technical report CSD-TR-993 at

        Technical Reports         Department of Computer Sciences
        Purdue University         West Lafayette, IN 47907-1398

 COPS can be obtained via anonymous FTP from


 Beware of extra files with the setuid bit set.  Specially, any type
 of shells.

 1.  Change root password to a non-word (ex. b4ugo), but do not write
     it down.
 2.  Dissable tty logins.
 3.  Read some of the security books listed above.
 4.  Look into security software.
 5.  Read up on the 'sysck' command.  It is a helpful command, but be 
     careful, if you use it wrong it could cause problems.
 6.  Check the 'cron' and 'at' jobs.

The customer said that the modem line has been changed, as well as the
root password.  He hasn't heard of any other problems since.

I cautioned him that the hacker could have setup many backdoors into the
system, during the time he had root access.  

I would suggest reinstalling the system.

Support Line: Intruder on the system. Security violation. ITEM: I3143L
Dated: July 1994 Category: N/A
This HTML file was generated 99/06/24~13:30:45
Comments or suggestions? Contact us