lees@frith.egr.msu.edu (John Lees) (01/15/90)
We recently had a break-in on an HP 9000/320 that resulted in the lawbreaker
having two bogus accounts, one of them a root account, from which s/he then
proceeded to attack other machines on the Internet.
The lawbreaker was clearly experienced and left very little evidence. I
believe the break-in probably occurred via ftp (the machine was set up as
an anonymous ftp server) because little else was running on this machine
(no YP, no NFS, no sendmail). We were running HP-UX 6.2 on this machine.
Are there sources of known security holes in HP-UX (and patches to same)?
Would upgrading this machine to a 6.5 or 7.0 "secure" machine offer me any
hope that the same method could not be used to break in again?
If you have something juicy to tell me you can reach me securely (as
securely as anything these days) via root@frith.egr.msu.edu. I will
summarize responses (discreetly) in a subsequent posting.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - O
John Lees, Manager of Systems A. H. Case Center for Computer OoO
and Network Software Services Aided Engineering & Manufacturing /O
lees@frith.egr.msu.edu College of Engineering |
...!uunet!frith!lees 236 Engineering Building (|)
lees@msuegr.bitnet Michigan State University | flower
CompuServe 74106,1324 East Lansing, MI 48824-1226 USA __|__ power
"Violence is the last refuge of the incompetent" - Salvor Hardinmarkl@hpbbse.bbn.hp.com (Mark Lufkin) (01/17/90)
> We recently had a break-in on an HP 9000/320 that resulted in the lawbreaker > having two bogus accounts, one of them a root account, from which s/he then > proceeded to attack other machines on the Internet. > > The lawbreaker was clearly experienced and left very little evidence. I > believe the break-in probably occurred via ftp (the machine was set up as > an anonymous ftp server) because little else was running on this machine > (no YP, no NFS, no sendmail). We were running HP-UX 6.2 on this machine. > > Are there sources of known security holes in HP-UX (and patches to same)? There are no list of security holes in HPUX (such things do not exist ... security holes, I mean :-) Anyway, what I would recommend here is that you remove . from your root PATH variable (if you have it in) as this a known "feature". > Would upgrading this machine to a 6.5 or 7.0 "secure" machine offer me any Upgrading the system is not recommended. The recommended procedure is to install (you then have a completely new system with the correct permissions). The system should then be converted to a trusted system. The sys admin manuals have details of what to do. This is the recommended procedure. > hope that the same method could not be used to break in again? Still remove . from the path. Upgrade won't help. > > If you have something juicy to tell me you can reach me securely (as > securely as anything these days) via root@frith.egr.msu.edu. I will > summarize responses (discreetly) in a subsequent posting. I do know this really nice ... BOOK called: UNIX system security Wood and Kochan Hayden Books ISBN 0-8104-6267-2 tschuess, Mark. Mark Lufkin, CPS-EMC Boeblingen, West Germany HP-UX mail: markl@hpbbn, markl@hpbbse Hewlett-Packard GmbH HPDESK: HPB600/51 Herrenberger Str. 130 Phone: 0-7031-14-3633 D-7030 Boeblingen
jmc@hp-ses.SDE.HP.COM (Jerry McCollom) (01/18/90)
This may be a known security problem with the 6.2 ftpd which does indeed have a patch available. See your SE about getting a patch for the 6.2 ftpd. > There are no list of security holes in HPUX (such things do not > exist ... security holes, I mean :-) Anyway, what I would > recommend here is that you remove . from your root PATH variable > (if you have it in) as this a known "feature". Your SE will know of patches and workarounds to known security problems. Having . in your PATH would not explain an ftp security hole. Jerry McCollom Hewlett Packard, Colorado Networks Division