The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.<p>
<h2>Password Cracking Activity</h2>

DATE: Thursday, July 16, 1998<p>

In an incident recently reported to the CERT/CC, a very large
collection of password files was found on a compromised system.

<p>

In total, the intruder appears to have a list of 186,126 accounts and
encrypted passwords. At the time the password file collection was
discovered, the intruder had successfully guessed 47,642 of these
passwords by using a password-cracking tool.

<p>

Since most of the entries did not come from the site where the
collection was found, it appears that they were collected from other
sites by the intruder.  While some of the password files included
information identifying the site where the file originated, over
160,000 of the entries include only a userid and an encrypted
password.

<p>

If your site could have been identified as involved in this incident,
the system administrator of the compromised host would have already
contacted you regarding this activity.

<p>

The collection is reported to contain entries from at least one
password file that was originally shadowed.  The intruder is also
reported to have a collection of passwords that appear to have been
obtained using network sniffing software.  This list of passwords is
apparently being used as input to the password-cracking tool.

<p>

If you are interested in more information about protecting your
systems against password-cracking attacks, you may want to review our
Tech Tip on this topic:

<dl><dd><a href="http://www.cert.org/tech_tips/passwd_file_protection.html">
http://www.cert.org/tech_tips/passwd_file_protection.html</a></dd></dl>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1998 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p>