 |
|
 |
CERT Incident Note IN-98.01The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Scans to Port 1/tcpmux and unpassworded SGI accountsWednesday, May 13, 1998For the past couple of weeks we have received reports of widespread scans to TCP port 1. The service assigned to TCP port 1 is tcpmux (for more info see RFC#1078). We know that some of the scans originated from sites which were root compromised. We were able to obtain files from a site which was used to launch these scans which indicate that the intruder was scanning for IRIX machines. By default, IRIX systems have tcpmux enabled. Once the intruder had found a number of machines with a service running on port 1/tcpmux, another automated intruder tool was used to telnet to each of these machines and attempt to log in as guest, lp, and demos. In addition to the above incident, we have noticed an increase in the number of reports of IRIX root compromises over the past few weeks. We have also received numerous independent reports of widespread failed login attempts to lp, guest, demos, OutOfBox, and EZsetup accounts. We have been in communication with SGI about this issue. At this time there does not appear to be any vulnerability in the SGI implementation of tcpmux or any service provided through tcpmux. IRIX machines ship by default with unpassworded accounts. As of IRIX 6.3 there is a security tool to easily disable or add passwords to these accounts at installation time. Please refer to the following advisories for more information about this issue:
We strongly encourage you to ensure that the full set of security patches for each of your systems is applied. This is a major step in defending your systems from attack, and its importance cannot be overstated. We encourage you to check with your vendor regularly for any updates or new patches that relate to your systems. We also encourage you to ensure that you are up to date with patches and workarounds referenced in CERT advisories. IRIX patches are available from:
If your IRIX machine has unpassworded accounts, then aside from disabling (or adding password protection to) accounts which do not have passwords, we encourage you to inspect your system for signs of intrusion. For instructions on how to do this please refer to the "Recovering from an Incident" web page.
This document is available from: http://www.cert.org/incident_notes/IN-98.01.irix.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information. Getting security informationCERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY Conditions for use, disclaimers, and sponsorship information
Copyright 1998 Carnegie Mellon University. |
