[UCI-Linux] "Dr. Tina Bird": [SECURITY] FW: Multiple UNIX compromises at Stanford

Mike Iglesias IGLESIAS@uci.edu
Tue, 06 Apr 2004 20:20:23 -0700


Please make sure all your linux systems are up to date on security patches
so you won't get hit by this.

------- Forwarded Message

Date:         Tue, 6 Apr 2004 17:45:08 -0700
From: "Dr. Tina Bird" <tbird65@stanford.edu>
Subject: [SECURITY] FW: Multiple UNIX compromises at Stanford
To: SECURITY@LISTSERV.EDUCAUSE.EDU

> -----Original Message-----
> From: owner-first-teams@first.org 
> [mailto:owner-first-teams@first.org] On Behalf Of Dr. Tina Bird
> Sent: Tuesday, April 06, 2004 5:41 PM
> To: first-teams@first.org
> Subject: Multiple UNIX compromises at Stanford
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi all -- Rather more disturbing to this old UNIX geek than 
> the rapid spread of Phatbot and its relatives is the 
> widespread, apparently co-ordinated attack being seen 
> targetting Linux and Solaris systems in higher education and 
> research organizations.  I've just released the following 
> alert to Stanford; please feel free to distribute the 
> information to your UNIX system administrators and other 
> interested parties.
> 
> The full text of this Security Alert is on line at 
> <http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html>.

Stanford, along with a large number of research institutions and high
performance computing centers, has become a target for some sophisticated
Linux and Solaris attacks. An unknown attacker (or group) has compromised
numerous multi-user Solaris and Linux computers on Stanford's campus using a
variety of mechanisms. In most cases, the attacker gets access to a machine
by cracking or sniffing passwords. Local user accounts are escalated to root
privileges by triggering a variety of local exploits, including the do_brk()
and mremap() exploits on Linux and the arbitrary kernel loading modules and
passwd vulnerabilities on Solaris.

If you manage multi-user Linux or Solaris systems, please read the alert
referenced above and take the appropriate action to protect your systems and
your users.

cheers?  tbird

- - - --
Dr. Tina Bird
Information Security Services, Stanford University

http://securecomputing.stanford.edu/alert.html
http://www.loganalysis.org
http://vpn.shmoo.com

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)
Comment: Made with pgp4pine 1.76

iD8DBQFAc04dcoaZZ4u5dCIRAvL5AKDyN9OJAq6cp5vsnQP5VU8MQcw2rACfWSI+
fogoa1PK3od2vW9xajWuGZg=
=wT09
- -----END PGP SIGNATURE-----


- -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server. Contact your
team's FIRST representative to (un)subscribe,

DO NOT REDISTRIBUTE BEYOND MEMBERS OF FIRST TEAMS UNLESS THE AUTHOR OF THIS
MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE
- -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.

------- End of Forwarded Message