Copy Link
Add to Bookmark
Report
Modernz 54
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
/* *\
/ * * \
/ * * \
/ * * \
/ * System Vulnerabilities * \
| * * |
| * * |
| * * |
| * Another Modernz Presentation * |
| * * |
\ * by * /
\ * Multiphage * /
\ * * /
\ * (C)opyright May 25th, 1992 * /
\ * */
*********************************************************
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
*******************************************************************************
The Modernz can be contacted at:
MATRIX BBS
WOK-NOW!
World of Kaos NOW!
World of Knowledge NOW!
St. Dismis Institute
- Sysops: Wintermute
Digital-demon
(908) 905-6691
(908) WOK-NOW!
(908) 458-xxxx
1200/2400/4800/9600
14400/19200/38400
Home of Modernz Text Philez
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
TANSTAAFL
Pheonix Modernz
The Church of Rodney
- Sysop: Tal Meta
(908) 830-TANJ
(908) 830-8265
Home of TANJ Text Philez
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
CyberChat
Sysop: Hegz
(908)506-6651
(908)506-7637
300/1200/2400/4800/9600
14400/19200/38400
Modernz Site
TLS HQ
<><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><><
The Global Intelligence Center
World UASI Headquarters!
Pennsylvania SANsite!
(412) 475-4969 300/1200/2400/9600
24 Hours! SysOp: The Road Warrior
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
The Lost Realm
Western PA UASI site!
Western PA. SANfranchise
(412) 588-5056 300/1200/2400
SysOp: Orion Buster
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
The Last Outpost
PowerBBS Support Board
UASI ALPHA Division
NorthWestern PA UASI site!
(412) 662-0769 300/1200/2400
24 hours! SysOp: The Almighty Kilroy
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
Hellfire BBS
SANctuary World Headquarters!
New Jersey UASI site!
(908) 495-3926 300/1200/2400
24 hours! SysOp: Red
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
BlitzKreig BBS
Home of TAP
(502)499-8933
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
I. Description
The Michelangelo virus is a computer virus that affects PCs
running MS-DOS (and PC-DOS, DR-DOS, etc.) versions 2.xx and
higher. Note, however, that although the virus can only execute
on PCs running these versions of DOS, it can infect and damage PC
hard disks containing other PC operating systems including UNIX,
OS/2, and Novell. Thus, booting an infected DOS floppy disk on
a PC that has, for example, UNIX on the hard disk would infect
the hard disk and would probably prevent the UNIX disk from
booting. The virus infects floppy disk boot sectors and hard
disk master boot records (MBRs). When the user boots from an
infected floppy disk, the virus installs itself in memory and
infects the partition table of the first hard disk (if found).
Once the virus is installed, it will infect any floppy disk that
the user accesses.
Some possible, though not conclusive, symptoms of the
Michelangelo virus include a reduction in free/total memory by
2048 bytes, and some floppy disks that become unusable or display
"odd" graphic characters during "DIR" commands. Additionally,
integrity management products should report that the MBR has been
altered.
Note that the Michelangelo virus does not display any messages on
the PC screen at any time.
II. Impact
The Michelangelo virus triggers on any March 6. On that date,
the virus overwrites critical system data, including boot and
file allocation table (FAT) records, on the boot disk (floppy or
hard), rendering the disk unusable. Recovering user data from a
disk damaged by the Michelangelo virus will be very difficult.
III. Solution
Many versions of anti-virus software released after approximately
October 1991 will detect and/or remove the Michelangelo virus.
This includes numerous commercial, shareware, and freeware
software packages. Since this virus was first detected around
the middle of 1991 (after March 6, 1991), it is crucial to use
current versions of these products, particularly those products
that search systems for known viruses.
---------------------------------------------------------------------------
===========================================================================
Internet Intruder Activity
---------------------------------------------------------------------------
Information regarding a significant intrusion incident on the
Internet. Systems administrators should be aware that many systems on
the Internet have been compromised due to this activity. To identify
whether your systems have been affected by the activity we recommend
that all system administrators check for the signs of intrusion
detailed in this advisory.
This advisory describes the activities that have been identified as
part of this particular incident. This does not address the
possibility that systems may have been compromised due to other,
unrelated intrusion activity.
---------------------------------------------------------------------------
I. Description
The intruders gained initial access to a host by discovering a
password for a user account on the system. They then attempted
to become root on the compromised system.
II. Impact
Having gained root access on a system, the intruders installed
trojan binaries that captured account information for both
local and remote systems. They also installed set-uid root
shells to be used for easy root access.
III. Solution
A. Check your systems for signs of intrusion due to this incident.
1. Check the su, ftpd, and ftp binaries (for example, "/bin/su",
"/usr/ucb/ftp" and "/usr/etc/in.ftpd" on Sun systems)
against copies from distribution media.
2. Check for the presence of any of the following files:
"/usr/etc/..." (dot dot dot), "/var/crash/..." (dot dot dot),
"/usr/etc/.getwd", "/var/crash/.getwd", or
"/usr/kvw/..." (dot dot dot).
3. Check for the presence of "+" in the "/etc/hosts.equiv" file.
4. Check the home directory for each entry in the "/etc/passwd"
file for the presence of a ".rhosts" file containing
"+ +" (plus space plus).
5. Search the system for the presence of the following set-uid
root files: "wtrunc" and ".a".
6. Check for the presence of the set-uid root file "/usr/lib/lpx".
B. Take the following steps to secure your systems.
1. Save copies of the identified files to removable media.
2. Replace any modified binaries with copies from
distribution media.
3. Remove the "+" entry from the "/etc/hosts.equiv" file and
the "+ +" (plus space plus) entry from any ".rhosts" files.
4. Remove any of the set-uid root files that you find, which are
mentioned in A5 or A6 above.
5. Change every password on the system.
6. Inspect the files mentioned in A2 above for references
to other hosts.
---------------------------------------------------------------------------
