[foxboro] Our AW51 (Solaris) Got a Virus/Worm

Hey List,

I thought I would let you know what has happened to our AW51, since many =
of
you may have security concerns.  We found out the hard way that Unix is =
also
vulnerable to virus/worm risks.

First, let me preface that our AW51 is a stand-alone unit, is used for
engineering purposes only (not used for control), and is directly on the
internet.  We knew the risk of putting it directly on the internet.  So, =
I
suspect that AW51s that are not connected to LANs or are behind =
firewalls
should be OK.  I don't mean to alarm anybody, but I thought "you should
know".

The virus/worm we got is a variant of sadmin/IIS worm.  Apparently it
exploits a buffer overflow on "sadmin", which is a program used to =
remotely
administrate the Solaris system.  Without the patch, and if you have =
Solaris
version 2.3 - 2.7, you are at risk.  To find out which Solaris version =
you
have, use "uname -a".

We were able to identify the virus with the following characteristics:
        1. new files: /usr/bin/wget ; /usr/bin/pico ; /usr/bin/bash
        2. /usr/sbin/syslogd was replaced with a new syslogd program of
different size.
        3. two new users were added to the system: "pd" and "pdr", one of
which had root access.
If you are interested in more details about a variant of this virus, =
check
out these web sites:
http://www.giac.org/practical/GCIH/Yan_Noblot_GCIH.pdf
http://craiu.pcnet.ro/papers/papers/sadmind.html

We have fixed the sadmin buffer overflow problem with Sun patch: =
108658-02
You can get this patch at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=3Dpatchpage


Now for the bigger picture....
In researching this virus, I have come across other vulnerabilities with =
our
current SunOS, such as vulnerabilities with Sun's ToolTalk, and Calendar
Messenger service.
Foxboro "out of the box", pre-installed software does not have the =
required
Sun patches to make it secure.
So the bigger rhetorical questions are:=20

1. Does Foxboro have a list of recommended Sun patches that have been =
tested
to work with I/A?
2. Does Foxboro install the latest patches in the factory before sending =
out
the product?
3. Does the install-CD (Day 0) include the most current Sun patches?
4. Does Foxboro have a procedure to ensure that I/A users know about
security holes and Patches that are highly recommended from Sun?

In the past year, because of high-profile viruses, we have all got
accustomed to taking the time and effort to keep our Windows computers
secure by ensuring that we have the most up-to-date patches from =
Microsoft.

Perhaps we should do the same with our AW51s.  And, perhaps, Foxboro =
should
help.

Regards,
Mark Dumond
Sr App Engineer
FeedForward, Inc.

 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

Other related posts: