Scans to Port 1/tcpmux and unpassworded SGI accountsWednesday, May 13, 1998
For the past couple of weeks we have received reports of widespread scans to TCP port 1. The service assigned to TCP port 1 is tcpmux (for more info see RFC#1078). We know that some of the scans originated from sites which were root compromised.
We were able to obtain files from a site which was used to launch these scans which indicate that the intruder was scanning for IRIX machines. By default, IRIX systems have tcpmux enabled. Once the intruder had found a number of machines with a service running on port 1/tcpmux, another automated intruder tool was used to telnet to each of these machines and attempt to log in as guest, lp, and demos.
In addition to the above incident, we have noticed an increase in the number of reports of IRIX root compromises over the past few weeks. We have also received numerous independent reports of widespread failed login attempts to lp, guest, demos, OutOfBox, and EZsetup accounts.
We have been in communication with SGI about this issue. At this time there does not appear to be any vulnerability in the SGI implementation of tcpmux or any service provided through tcpmux.
IRIX machines ship by default with unpassworded accounts. As of IRIX 6.3 there is a security tool to easily disable or add passwords to these accounts at installation time. Please refer to the following advisories for more information about this issue:
We strongly encourage you to ensure that the full set of security patches for each of your systems is applied. This is a major step in defending your systems from attack, and its importance cannot be overstated.
We encourage you to check with your vendor regularly for any updates or new patches that relate to your systems. We also encourage you to ensure that you are up to date with patches and workarounds referenced in CERT advisories.
IRIX patches are available from:
If your IRIX machine has unpassworded accounts, then aside from disabling (or adding password protection to) accounts which do not have passwords, we encourage you to inspect your system for signs of intrusion. For instructions on how to do this please refer to the "Recovering from an Incident" web page.
Copyright 1998 Carnegie Mellon University.