John McMahon - NASA GSFC ADFTO - 301-286-2045 (09/21/89)
The following mail messages were posted to the INFO-VAX mailing list in response to the message "Virus or Coincidence" posted by Tom Ivers at the Columbia U. Plasma Physics Lab (IVERS@CUPLVX.APNE.COLUMBIA.EDU). The message was posted to VIRUS-L in a previous isse. Tom Ivers original mail message indicated that the VAX that had the problem was running VMS 4.5. VMS 4.4 through 4.7 had a fairly nasty security hole in it that DEC has subsequently patched. Perhaps this system wasn't patched ? Assuming the security hole wasn't patched, and LOGINOUT.EXE was replaced then this type of attack has occurred before. The last major outbreak was when the Chaos Computer Club broke into machines on the "World DECnet" (SPAN/HEPnet/Etc...) during the Summer of 1987. ***> From: "FIDLER::LEVINE" <levine%fidler.decnet@NWC.NAVY.MIL> ***> ***> I got your message from info-vax, and passed it on to other ***> system managers at NWC. One of them just called and said he had part of ***> your problem once. The user limit message is a micro VMS message only, ***> and he told me that the login problem was due to a bad floating point ***> unit on his 750. Apparently the password hashing suborutine (HPWD) uses ***> some Floating point instructions. He will be sending me a full ***> desription of the problem next week which I will pass on to you. ***> As for the VIRUS stuff, he had no trace of that. ***> Michael N. LeVine Naval Weapons Center, China Lake, Ca 93555, USA ***> From: "Richard B. Gilbert" <dragon@NSCVAX.PRINCETON.EDU> ***> ***> I think you've been well and truly screwed. The safest thing to do is ***> to scrub your disk and restore from a backup that you are certain is ***> clean. ***> ***> I have this horrible feeling that SYS$SYSTEM:LOGINOUT.EXE has been ***> patched or replaced. Only extensive checking would reveal what else has ***> been tampered with. You had better assume that any sensitive ***> information on your system has been compromised and that _anything_ may ***> have been tampered with! ***> ***> Even after you restore your system, you will still be vulnerable to a ***> repetion of the same attack! You will need to read and heed the "Guide ***> to VMS Security". You should probably have security alarm ACLs on ***> SYS$SYSTEM:SYSUAF.DAT, SYS$MANAGER:SYSTARTUP.COM or SYSTARTUP_V5.COM, ***> SY$MANAGER:SYLOGIN.COM and perhaps a couple of other things. This will ***> not prevent a breakin but it will make it tougher to do it tracelessly. ***> Check your modem lines if any. Are they all set /MODEM /HANGUP /DIALUP? ***> If not, they provide a potential entry point for a cracker. ***> ***> Priveleged accounts such as FIELD, and SYSTEST should be kept turned off ***> with /FLAGS=DISUSER and enabled only when needed. ***> ***> The default DECnet account also provides a potential point of entry. ***> ***> I'm real glad I'm not in your shoes. ***> From: "Kevin V. Carosso" <KVC%FRIDAY.A-T.COM@CUNYVM.CUNY.EDU> ***> ***> The fact that you are running VMS V4.5 and getting the "USERS EXCEEDED" ***> message is an important clue. User limits for MicroVMS were enforced by ***> code in LOGINOUT.EXE. When you upgraded your license on your MicroVAX, ***> say from 2 users to 8, DEC sent you a VMSINTAL kit which patched ***> LOGINOUT. ***> ***> The fact that your 750 suddenly has a user limit of 2 (indeed any limit ***> at all) and is not running VMS V5 means that you may be running with a ***> LOGINOUT.EXE copied from a MicroVMS system. One distinct possibility is ***> that someone took the LOGINOUT.EXE from a MicroVMS system, possibly ***> patched in their own trapdoor, and copied it to your 750 replacing the ***> standard SYS$SYSTEM:LOGINOUT.EXE. ***> ***> A couple of years ago there were a rash of breakins to VMS machines ***> characterized, in part, by patched LOGINOUT.EXE's being left behind. ***> ***> You should consider restoring LOGINOUT.EXE from tape. You also might ***> want to save the suspicious one and check it out with ANALYZE/IMAGE ***> (which will report PATCH information unless the image was patched ***> without using the standard VMS PATCH utility). ***> ***> /Kevin Carosso kvc@friday.a-t.com ***> Innosoft kvc@ymir.bitnet /------------------------------------+---------------------------------------\ |John "Fast Eddie" McMahon | Span: SDCDCL::FASTEDDY (Node 6.9) | |Advanced Data Flow Technology Office| Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV| |Code 630.4 - Building 28/W255 | Bitnet: FASTEDDY@DFTBIT | |NASA Goddard Space Flight Center |GSFCmail: JMCMAHON | |Greenbelt, Maryland 20771 | Phone: 301-286-2045 (FTS: 888-2045) | +------------------------------------+---------------------------------------+ |Invest heavily in SPAM futures... | \----------------------------------------------------------------------------/