Apply "method 1" as outlined in the System and Network Administration manual, in the section, "Sun System Administration Procedures," Chapter 9, "Reconfiguring the System Kernel." Excerpts from the method are reproduced below:
# cd /usr/kvm/sys/sun[3,3x,4,4c]/conf
# cp CONFIG_FILE SYS_NAME
[Note that at this step, you should replace the CONFIG_FILE
with your system specific configuration file if one exists.]
# chmod +w SYS_NAME
# vi SYS_NAME
# The following are for streams NIT support. NIT is used by
# etherfind, traffic, rarpd, and ndbootd. As a rule of thumb,
# NIT is almost always needed on a server and almost never
# needed on a diskless client.
pseudo-device snit # streams NIT
pseudo-device pf # packet filter
pseudo-device nbuf # NIT buffering module
[Comment out the preceding three lines; save and exit the
editor before proceeding.]
# config SYS_NAME
# cd ../SYS_NAME
# mv /vmunix /vmunix.old
# cp vmunix /vmunix
[This step will reboot the system with the new kernel.]
[NOTE that even after the new kernel is installed, you need to take care to ensure that the previous vmunix.old , or other kernel, is not used to reboot the system.]
C. Scope and recovery
If you detect the network monitoring software at your site, we recommend following three steps to successfully determine the scope of the problem and to recover from this attack.
1. Restore the system that was subjected to the networkmonitoring software.
The systems on which the network monitoring and/or Trojan horse programs are found have been compromised at the root level; your system configuration may have been altered. See Appendix A of this advisory for help with recovery.
2. Consider changing router, server, and privileged account passwords due to the wide-spread nature of these attacks.
Since this threat involves monitoring remote connections, take care to change these passwords using some mechanism other than remote telnet, rlogin, or FTP access.
3. Urge users to change passwords on local and remote accounts.
Users who access accounts using telnet, rlogin, or FTP either to or from systems within the compromised domain should change their passwords after the intruder's network monitor has been disabled.
4. Notify remote sites connected from or through the local domain of the network compromise.
Encourage the remote sites to check their systems for unauthorized activity. Be aware that if your site routes network traffic between external domains, both of these domains may have been compromised by the network monitoring software.
Appendix A: RECOVERING FROM A UNIX ROOT COMPROMISE
A. Immediate recovery technique
More detailed advice can be found in
- Disconnect from the network or operate the system in single- user mode during the recovery. This will keep users and intruders from accessing the system.
Verify system binaries and configuration files against the vendor's media (do not rely on timestamp information to provide an indication of modification). Do not trust any verification tool such as cmp(1) located on the compromised system as it,
too, may have been modified by the intruder. In addition, do not trust the results of the standard UNIX sum(1) program as we have seen intruders modify system files in such a way that the checksums remain the same. Replace any modified files from
the vendor's media, not from backups.
-- or --
Reload your system from the vendor's media.
Search the system for new or modified setuid root files.
find / -user root -perm -4000 -print
If you are using NFS or AFS file systems, use ncheck to search the local file systems.
ncheck -s /dev/sd0a
- Change the password on all accounts.
Don't trust your backups for reloading any file used by root. You do not want to re-introduce files altered by an intruder.
B. Improving the security of your system
- CERT Security Technical Tips
The CERT/CC staff has developed technical tips and checklists based on information gained from computer security incidents reported to us. These tips are available from
- Security Tools
Use security tools such as COPS and Tripwire to check for security configuration weaknesses and for modifications made by intruders. We suggest storing these security tools, their configuration files, and databases offline or encrypted. TCP daemon wrapper
programs provide additional logging and access control. These tools are available
- CERT Advisories
Review past CERT advisories (both vendor-specific and generic) and install all appropriate patches or workarounds as described in the advisories. CERT advisories and other security-related information are available from
To join the CERT Advisory mailing list, send a request to:
Please include contact information, including a telephone number.
Appendix B: ONE-TIME PASSWORDS
Given today's networked environments, CERT recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CERT has seen many incidents involving Trojan network
programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is
possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text.
Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response
technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization,
and each organization should perform its own evaluation and selection.
I. Publicly Available Packages
The S/KEY package is publicly available (no fee) via anonymous FTP from:
thumper.bellcore.com /pub/nmh directory
There are three subdirectories:
skey UNIX code and documents on S/KEY.
Includes the change needed to login,
and stand-alone commands (such as "key"),
that computes the one-time password for
the user, given the secret password and
the S/KEY command.
dos DOS or DOS/WINDOWS S/KEY programs. Includes
DOS version of "key" and "termkey" which is
a TSR program.
mac One-time password calculation utility for
II Commercial Products:
Digital Pathways, Inc.
Secure Net Key (SNK)
201 Ravendale Dr.
Mountainview, Ca. 94043-5216
Fax: (415) 961-7487
handheld authentication calculators (SNK004) serial line auth interruptors (guardian)
Note: Secure Net Key (SNK) is des-based, and therefore restricted from US export.
|(complete turnkey systems)
One Alewife Center
Cambridge, MA 02140-2312
Fax: (617) 354-8836
SecurID changing number authentication card
ACE server software
SecureID is time-synchronized using a 'proprietary' number generation algorithm
WatchWord and WatchWord II
480 Spring Park Place
Herndon, VA 22070
1-800-521-6261 ext 217
Watchword authentication calculator
Alpha-numeric keypad, digital signature capability
Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
DES Silver card authentication calculator
SafeWord Multisync card authentication calculator
Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as other OS versions. Supports one-time passwords and super smartcards from several vendors.
Appendix C: cpm 1.0 README FILE
cpm - check for network interfaces in promiscuous mode.
Thursday Feb 3 1994
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement.
It can be obtained via anonymous FTP from ftp.cert.org:pub/tools/cpm.tar.Z.
This program is distributed WITHOUT ANY WARRANTY; without the IMPLIED WARRANTY of merchantability or fitness for a particular purpose.
This package contains:
To create cpm under SunOS, type:
% cc -Bstatic -o cpm cpm.c
On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled.
CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary.
The following is an example of the output of cpm and its exit status.
Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1):
% echo $status
Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1):
% echo $status
The CERT Coordination Center thanks the members of the FIRST community as well as the many technical experts around the Internet who participated in creating this advisory. Special thanks to Eugene Spafford of Purdue University for his contributions.
Copyright 1994, 1995, 1996, 1997 Carnegie Mellon University.
Sept. 19, 1997 Updated Copyright statement
Apr. 03, 1997 Appendix B - corrected "Public Domain" to read "Publicly
Oct. 09, 1996 Sentence 1 - Clarified the time of the increase in the reports.
Appendix A - Added the URL for our tech tip on root compromises.
Aug. 30, 1996 Information previously in the README was inserted
into the advisory. Updated URLs.
July 31, 1996 Appendix B - referred to new tech tips, which replace the single
Mar. 20, 1996 Sec.III.A.3 - additional information concerning cpm (v. 1.2)
Sept. 21, 1995 Sec. III.A.3 - suggestions regarding cpm
Feb. 02, 1995 Sec. III - additional information on Trojan binaries (III.A),
use of the /dev directory (III.A.3), and two more
activities (III.A.4 & III.A.5)
Feb. 02, 1995 Updates section - additional information about sniffer activity