HTML-version by Markus Hübner

We have seen incidents in which intruders obtain password files from sites and then try to compromise accounts by cracking passwords. Once intruders gain access to a user account, they attempt to gain root access through a cracked root password or by exploiting another vulnerability.

These incidents point to the need for system administrators to adequately defend their systems from this type of attack. We urge you to do the following.

1. Protect your password file so that an intruder cannot obtain a copy of it.

2. Ensure that good passwords are selected so that they cannot easily be cracked, or use a technology in which passwords are not located in the password file.

3. Ensure that you are up-to-date with security patches and workarounds.

4. Watch for unusual activity.

More specifically, here are steps you can take to minimize the possibility that your password file (with passwords in it) can fall into the hands of an intruder.

1. Protect your password file.

• Use a shadow password. Under a shadow password system, the /etc/passwd file does not have encrypted passwords in the password field. Instead, the encrypted passwords are held in a shadow file that is not world-readable. Consult your system manuals to determine whether or not a shadow password capability is available on your system and to get information on how to set up and manage such a facility.

• Use a technology, such as one-time passwords or Kerberos, that does not rely on having passwords in the password file.
  For more information on one-time passwords, see Appendix B in
  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

• Ensure that you are up-to-date with sendmail and are using smrsh. Some sendmail vulnerabilities can be exploited by intruders to obtain a copy of a password file.
  Information on known sendmail vulnerabilities can be obtained from:
  ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
  ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement
  ftp://info.cert.org/pub/cert_advisories/CA-93:16a.README
  ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
  ftp://info.cert.org/pub/cert_advisories/CA-95:05.README
  ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
  ftp://info.cert.org/pub/cert_advisories/CA-95:08.README
  ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
  ftp://info.cert.org/pub/cert_advisories/CA-95:11.README
  ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul
  ftp://info.cert.org/pub/cert_advisories/CA-95:13.README
  ftp://info.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers
  ftp://info.cert.org/pub/cert_advisories/CA-96.04.README
  The smrsh program can be obtained from
  ftp://info.cert.org/pub/tools/smrsh/
  smrsh is also included in the sendmail 8.7.5 distribution.

• If you are using the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and previous versions), ensure that you have followed the advice in the advisory listed below.
  ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

• To help defend your site from NIS-based attacks, you may wish to install a portmapper/rpcbind replacement that has access control built in. Note that an attacker may still be able to find the portnumber of the NIS server by scanning all privileged ports of the target machine. While the portmapper replacement won't defend you from this attack, effective packet filtering can defend you and effective logging will alert you to any attack in progress. To deny access to the NIS server you have to block all privileged portnumbers (all portnumbers less than 1024) on your router except those "well known" services you need and that are on fixed portnumbers (like telnet and ftp). A replacement for portmapper/rcpbind that has access control and logging is available from
  ftp://ftp.win.tue.nl/pub/security/portmap_3.BLURB
  ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z
  ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z.asc
  ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.README
  ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z
  ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z.asc

• Ensure that your anonymous ftp area is configured correctly. Intruders frequently exploit an ftp area that is not correctly configured to obtain the password file of the ftp server. For more information on configuring your ftp server, see the document "Anonymous FTP Configuration Guidelines" available at
  ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config

2. Ensure that the passwords being used on accounts cannot easily be guessed or cracked by intruders.

You may wish to verify that good passwords are being selected at your site (in accordance with your organization's policies and procedures). Crack is a tool you can use to do this. It is a freely available program designed to identify standard UNIX DES encrypted passwords that can be found in widely available dictionaries by standard guessing techniques outlined in the Crack documentation.

Crack is available by anonymous FTP from

ftp://info.cert.org/pub/tools/crack

3. Ensure that you are up-to-date with patches and workarounds on your machines.

Keeping up-to-date can help minimize the likelihood that you will be root compromised if user accounts are compromised. For information about the latest patches and workarounds, contact your vendor. You can also find information in

ftp://info.cert.org/pub/latest_sw_versions

4. Watch for unusual activity.

Use all of the logging facilities available, including wtmp, syslog, and process accounting. Use tcp wrappers and log all connection attempts for all services made available via inetd. Examine these logs looking for suspicious activity. One tool that is available to analyze syslog files is SWATCH. It is available at

ftp://ftp.stanford.edu/general/security-tools/swatch

Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

The CERT Coordination Center is sponsored by the Defense Advanced Research Projects Agency (DARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense.