View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.<p>
<h2>Scans to Port 1/tcpmux and unpassworded SGI accounts</h2>

Wednesday, May 13, 1998<p>

For the past couple of weeks we have received reports of
widespread scans to TCP port 1. The service assigned to TCP port 1 is
tcpmux (for more info see RFC#1078). We know that some of the scans
originated from sites which were root compromised.<p>

We were able to obtain files from a site which was used to launch
these scans which indicate that the intruder was scanning for IRIX
machines. By default, IRIX systems have tcpmux enabled. Once the
intruder had found a number of machines with a service running on port
1/tcpmux, another automated intruder tool was used to telnet to each
of these machines and attempt to log in as guest, lp, and demos.<p>

In addition to the above incident, we have noticed an increase in the
number of reports of IRIX root compromises over the past few weeks. We
have also received numerous independent reports of widespread failed
login attempts to lp, guest, demos, OutOfBox, and EZsetup accounts.<p>

We have been in communication with SGI about this issue. At this time
there does not appear to be any vulnerability in the SGI
implementation of tcpmux or any service provided through tcpmux.<p>

IRIX machines ship by default with unpassworded accounts. As of IRIX
6.3 there is a security tool to easily disable or add passwords to
these accounts at installation time. Please refer to the following
advisories for more information about this issue:<p>
<dl>
<dd><li> <a href="ftp://sgigate.sgi.com/security/19951002-01-I">ftp://sgigate.sgi.com/security/19951002-01-I</a></li> </dd>
<dd><li> <a href="http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html">http://www.cert.org/advisories/CA-95.15.SGI.lp.vul.html</a></li> </dd>
</dl><p>

We strongly encourage you to ensure that the full set of security
patches for each of your systems is applied. This is a major step in
defending your systems from attack, and its importance cannot be
overstated.<p>

We encourage you to check with your vendor regularly for any updates
or new patches that relate to your systems. We also encourage you to
ensure that you are up to date with patches and workarounds referenced
in CERT advisories.<p>

IRIX patches are available from:<p>
<dl><dd>
<li><a href="http://www.sgi.com/support/security/index.html">http://www.sgi.com/support/security/index.html</a></li>
</dd></dl><p>
<b>If your IRIX machine has unpassworded accounts</b>, then aside from
disabling (or adding password protection to) accounts which do not
have passwords, we encourage you to inspect your system for signs of
intrusion. For instructions on how to do this please refer to the "<a href="http://www.cert.org/nav/recovering.html">Recovering from an
Incident</a>" web page.<p>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1998 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p>