Date: Fri, 29 Mar 2024 08:15:41 -0400 (EDT) Message-ID: <699324387.25.1711714541552@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_24_1818166793.1711714541550" ------=_Part_24_1818166793.1711714541550 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The Computer Emergency Response Team/Coordination Center (CERT/CC) has r= eceived information regarding a significant intrusion incident on the Inter= net. Systems administrators should be aware that many systems on the Intern= et have been compromised due to this activity. To identify whether your sys= tems have been affected by the activity we recommend that all system admini= strators check for the signs of intrusion detailed in this advisory.
This advisory describes the activities that have been identified as part= of this particular incident. This does not address the possibility that sy= stems may have been compromised due to other, unrelated intrusion activity.=
Check for the presence of any of the following files:
"/usr/etc/..." (dot dot dot), "/var/crash/..." (dot dot dot), "/usr/etc/.g=
etwd", "/var/crash/.getwd", or "/usr/kvm/..." (dot dot dot).
Check for the presence of "+" in the "/etc/hosts.equiv" file.
Check the home directory for each entry in the "/etc/passwd" file fo= r the presence of a ".rhosts" file containing "+ +" (plus space plus).
<= /li>Search the system for the presence of the following set-uid root fil= es: "wtrunc" and ".a".
Check for the presence of the set-uid root file "/usr/lib/lpx".
<= /li>Replace any modified binaries with copies from distribution media.= p>
Remove the "+" entry from the "/etc/hosts.equiv" file and the "+ +" = (plus space plus) entry from any ".rhosts" files.
Remove any of the set-uid root files that you find, which are mentio= ned in A5 or A6 above.
Change every password on the system.
Inspect the files mentioned in A2 above for references to other host= s.
Copyright 1992 Carnegie Mellon University.
September 19,1997 Attached Copyright Statement