************************************************************************ DDN MGT Bulletin: 9401 DISA DDN Defense Communications System 04 Feb 1994 Published by: DDN Network Info Center (NIC@NIC.DDN.MIL) (800) 365-3642 DEFENSE DATA NETWORK MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network Information Center under DISA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be read through the TACNEWS server ("@n" command at the TAC) or may be obtained by FTP (or Kermit) from the NIC.DDN.MIL host [192.112.36.5] using login="anonymous" and password="guest". The pathname for bulletins is ddn-news/ddn-mgt-bulletin-nn.txt (where "nn" is the bulletin number). ************************************************************************ PLEASE PASS TO ALL MILNET NODE SITE COORDINATORS AND HOST ADMINISTRATORS REQUEST THIS INFORMATION BE DISSEMINATED AT ALL LEVELS. THIS INFORMATION HAS ALSO BEEN RELEASED AS CONUSMILNETSTA 02/94. SUBJECT: Ongoing Network Monitoring Attacks RE: Automated System Security Incident Support Team (ASSIST) Bulletin 94-02. 1. SUMMARY: In the past week, ASSIST has received information about dramatic increases in reports of Internet intruders monitoring network traffic using root-compromised systems supporting a promiscuous network interface. The reports indicate that tens of thousands of systems connected to the Internet are involved, including a number of MILNET systems. The information collected by the intruders has the potential to compromise systems that any user in the domain has accessed while the intruders' network monitor was running. This includes local systems and systems accessed outside the domain. The scope of this incident is such that ASSIST believes any DOD site connected to the MILNET/Internet is at risk from this attack. 2. The current attacks involve a network monitoring tool that uses the promiscuous mode of a specific network interface, /DEV/NIT, to capture host and user authentication information on all newly opened FTP, TFTP, TELNET, and RLOGIN sessions. Immediate action required is: A. All users on systems that offer remote access must change passwords immediately. B. Systems that support the /DEV/NIT interface should disable this feature if it is not used or attempt to prevent unauthorized access if the feature is necessary. Systems known to support the /DEV/NIT interface are SUNOS 4.X, and SOLBORNE Systems. Sun Solaris Systems do not support the /DEV/NIT interface. While the current attack is specific to /DEV/NIT, this short-term workaround does not constitute a complete solution. C. Determine if the network monitoring tool is running on your hosts that support a promiscuous network interface and notify ASSIST immediately if the tool is detected. 3. BACKGROUND: Root-compromised systems that support a promiscuous network interface are being used by intruders to collect host and user authentication information visible on the network. The intruders first penetrate a system and gain root access through an unpatched vulnerability. The intruders then run a network monitoring tool that captures up to the first 128 keystrokes of all newly opened FTP, TFTP, TELNET, and RLOGIN sessions visible within the compromised system's domain. These keystrokes which usually contain host, account, and password information for user accounts on other systems are logged for later retrieval. The intruders typically install Trojan Horse Programs to support subsequent access to the compromised system and to hide their network monitoring process. 4. IMPACT: All connected network sites that use the network to access remote systems are at risk from this attack. All user account and password information derived from FTP, TFTP, TELNET, and RLOGIN sessions and passing through the same network as the compromised host could be disclosed. 5. DETECTION: The intruders network monitoring tool is run under a variety of process names and logs the captured data to a variety of files. Thus, the best method for detecting this network monitoring tool is to look for: A. Trojan Horse Programs commonly used in conjunction with this attack. B. Any suspect processes running on the system C. The unauthorized use of /DEV/NIT (1) Trojan Horse Programs: The intruders have replaced one or more of the following programs with a Trojan Horse in conjunction with this attack: /USR/ETC/IN.TELNETD and /BIN/LOGIN - Used to provide back-door access to the intruders to retrieve the information /BIN/PS - Used to disguise the network monitoring process Because the intruders have installed Trojan Horse variations of standard UNIX commands, assist recommends not using other commands such as the standard SUNOS SUM(1) or CMP(1) command to locate the Trojan Horse programs on the system until these programs can be restored from distribution media, run from read-only media (such as a mounted CD-ROM), or verified using cryptographic checksum information. In addition to the possibility of having the checksum programs replaced by the intruders, the Trojan Horse programs mentioned above may have been engineered to produce the same standard checksum as the legitimate version. Because of this, the standard SUNOS SUM(1) command and the timestamps associated with the programs are not sufficient to determine whether the programs have been replaced. (2) Suspect Processes: Although the name of the network monitoring tool can vary from attack to attack, it is possible to detect a suspect process running as root using PS or other process-listing commands. However, the PS command should not be relied upon since a Trojan Horse version is being used by the intruders to hide the monitoring process. Some process names that have been observed are SENDMAIL, ES, and IN.NETD. The arguments to the process also provide an indication of where the log file is located. If the "-F" flag is set on the process, the filename following indicates the location of the log file used for the collection of authentication information for later retrieval by the intruders. (3) Unauthorized use of /DEV/NIT: If the network monitoring tool is currently running on your system, it is possible to detect this by checking for unauthorized use of the /DEV/NIT interface. The computer emergency response team (CERT) has created a tool for this purpose. The source code for this tool is available via anonymous FTP from ASSIST.IMS.DISA.MIL (IP 137.130.234.30) IN /PUB/TOOLS/CPM.1.0.TAR.Z. FILENAME STANDARD UNIX SUM SYSTEM V SUM ------- --------------- ------------ CPM.1.0.TAR.Z 11097 6 24453 12 MD5 CHECKSUM MD5 (CPM.1.0.TAR.Z) = E29D43F3A86E647F7FF2AA453329A155 6. Prevention: There are two actions that are effective in preventing this attack. A long-term solution requires eliminating transmission of clear text passwords on the network. For this specific attack, however, a short-term workaround exists. Both of these are described below. (1) Long-term prevention: ASSIST recognizes that the only effective long-term solution to preventing these attacks is to eliminate the transmission of clear-text passwords during remote logins. (2) Short-term workaround: Regardless of whether the network monitoring software is detected on your system, assist recommends that all sites take action to prevent unauthorized network monitoring on their systems. You can do this either by removing the interface, if it is not used on the system, or attempting to prevent the misuse of this interface. For systems other than SUN and SOLBORNE, contact your vendor to find out if promiscuous mode network access is supported and, if so, what is the recommended method to disable this feature. For SUN OS 4.X and SOLBORNE Systems, the promiscuous interface to the network can be eliminated by removing the /DEV/NIT capability from the kernel. The procedure for doing so can be obtained from the ASSIST office, ASSIST BBS, and ASSIST anonymous FTP Site. 7. SCOPE AND RECOVERY: If you detect the network monitoring software at your site, contact ASSIST immediately. Additional information on recovery from UNIX ROOT compromise, one time password generation, and the check for network interfaces promiscuous mode (CPM) tool, can be found in electronic form on the ASSIST.BBS which can be reached at 703/756-7993/4 DSN 289, or the ASSIST.IMS.DISA.MIL (IP 137.130.234.30) anonymous FTP site. 8. Unclassified assist bulletins are now also available via MILNET (INTERNET) E-Mail. In order to receive assist bulletins in this manner, you must have access to MILNET, and an account with an E-Mail address. If you wish to submit an E-Mail address for inclusion in the assist distribution list, send the MILNET E-Mail address that you want entered in the list to: ASSIST- REQUEST @ASSIT.IMS.DISA.MIL (IP ADDRESS 137.130.234.30). This method of distribution will allow many sites and individuals to receive assist bulletins more quickly than record message traffic. 9. POINT OF CONTACT: ASSIST point of contact for this matter is Mr Ken Van Wyk. The ASSIST response center normally can be reached during duty hours (06:30-17:00 EST), at COMM (703) 756-7974, DSN 289. After duty hours, holidays and weekends, assist can be reached by pager at (800) 759-7243, PIN 2133937. Due to the potential impact of this event the ASSIST response center will be manned 24 hours-a-day until further notice. Duty Officer will call you back within 30 minutes, and if faster services is required prefix your telephone number with '999' and your call will be returned within 5 minutes. ASSIST can also be reached via MILNET (Internet) E-Mail at ASSIST@ASSIST.IMS.DISA.MIL, or by logging on to the CISS electronic bulletin board system at COMM (703) 756-7993/4, DSN 289, and leaving a message for the 'SYSOP'. 10. POCs for DDN Management Bulletin 9401 are Maj John Lent, DISA/UTDS, DSN 222-2757/COMM (703) 692-2757; E-Mail lentj@cc.ims.disa.mil and Mr Joe Boyd, DISA/UTDS, DSN 222-7580/COMM (703) 692-7580; E-Mail boydj@cc.ims.disa.mil.