FW: Multiple UNIX compromises at Stanford

["Dr. Tina Bird" <tbird65 () STANFORD EDU>]

> -----Original Message-----
> From: owner-first-teams () first org 
> [mailto:owner-first-teams () first org] On Behalf Of Dr. Tina Bird
> Sent: Tuesday, April 06, 2004 5:41 PM
> To: first-teams () first org
> Subject: Multiple UNIX compromises at Stanford
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi all -- Rather more disturbing to this old UNIX geek than 
> the rapid spread of Phatbot and its relatives is the 
> widespread, apparently co-ordinated attack being seen 
> targetting Linux and Solaris systems in higher education and 
> research organizations.  I've just released the following 
> alert to Stanford; please feel free to distribute the 
> information to your UNIX system administrators and other 
> interested parties.
>
> The full text of this Security Alert is on line at 
> <http://securecomputing.stanford.edu/alerts/multiple-unix-6apr
2004.html>.

Stanford, along with a large number of research institutions and high
performance computing centers, has become a target for some sophisticated
Linux and Solaris attacks. An unknown attacker (or group) has compromised
numerous multi-user Solaris and Linux computers on Stanford's campus using a
variety of mechanisms. In most cases, the attacker gets access to a machine
by cracking or sniffing passwords. Local user accounts are escalated to root
privileges by triggering a variety of local exploits, including the do_brk()
and mremap() exploits on Linux and the arbitrary kernel loading modules and
passwd vulnerabilities on Solaris.

If you manage multi-user Linux or Solaris systems, please read the alert
referenced above and take the appropriate action to protect your systems and
your users.

cheers?  tbird

- - --
Dr. Tina Bird
Information Security Services, Stanford University

http://securecomputing.stanford.edu/alert.html
http://www.loganalysis.org
http://vpn.shmoo.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)
Comment: Made with pgp4pine 1.76

iD8DBQFAc04dcoaZZ4u5dCIRAvL5AKDyN9OJAq6cp5vsnQP5VU8MQcw2rACfWSI+
fogoa1PK3od2vW9xajWuGZg=
=wT09
-----END PGP SIGNATURE-----


-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server. Contact your
team's FIRST representative to (un)subscribe,

DO NOT REDISTRIBUTE BEYOND MEMBERS OF FIRST TEAMS UNLESS THE AUTHOR OF THIS
MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.