Re: [foxboro] Our AW51 (Solaris) Got a Virus/Worm
- From: "Corey R Clingo" <clingoc@xxxxxxxxxxxxx>
- To: foxboro@xxxxxxxxxxxxx
- Date: Wed, 19 Nov 2003 09:37:58 -0600
Older, unpatched Solaris versions are Swiss cheese, as far as security
goes. I'm not surprised your AW51 got cracked. The worms/rootkits for
Unix are not a plentiful as for Windoze, but they are out there.
From my own experience. Foxboro, like many other control system vendors,
has not cared much about security in the past. The Art Arruda (I think he
authored it) "securing your system" document, and Foxboro's general
recommendation to use firewalls, was about the extent of it. I seem to
recall a comment from an Invensys person at a session at the last
international user group meeting to the effect that system security was the
users' responsibility (which is true to a large extent, but the system
vendor still bears some responsibility as well).
Recently, however, because of recent geopolitical events and almost weekly
patches from Microsoft, the issue has become too large and public for
Invensys to ignore. They now have a recommended patch list for Windoze
boxes on the CSC web site, and they appear to be current through
mid-October. I haven't seen anything for Solaris yet (another omen,
perhaps?).
Having said that, you are never going to see the latest OS vendor patches
from Invensys, either on Day 0 CDs or on the web site. They have to test
those patches just like any other responsible vendor of IT. But it appears
that now Invensys is going to have to devote more resources to that task --
or switch to a more inherently secure OS (and that ain't gonna happen).
And even if you don't use the box for control, it still can be a problem.
The Trojaned box could be used to launch attacks against other systems. So
security in layers is still advisable. Patch the machine to the extent you
can. AND use firewalls. AND look at the system and firewall logs
regularly. AND scan it periodically with something like Tripwire to find
any modified binaries. AND enforce good passwords. AND...AND...AND...it
never ends. :)
Corey Clingo
BASF Corp.
|---------+---------------------------->
| | "Mark Dumond" |
| | <mdumond@mindspri|
| | ng.com> |
| | Sent by: |
| | foxboro-bounce@fr|
| | eelists.org |
| | |
| | |
| | 11/18/2003 11:29 |
| | AM |
| | Please respond to|
| | foxboro |
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: foxboro
|
| cc:
|
| Subject: [foxboro] Our AW51 (Solaris) Got a Virus/Worm
|
>------------------------------------------------------------------------------------------------------------------------------|
Hey List,
I thought I would let you know what has happened to our AW51, since many =
of
you may have security concerns. We found out the hard way that Unix is =
also
vulnerable to virus/worm risks.
First, let me preface that our AW51 is a stand-alone unit, is used for
engineering purposes only (not used for control), and is directly on the
internet. We knew the risk of putting it directly on the internet. So, =
I
suspect that AW51s that are not connected to LANs or are behind =
firewalls
should be OK. I don't mean to alarm anybody, but I thought "you should
know".
The virus/worm we got is a variant of sadmin/IIS worm. Apparently it
exploits a buffer overflow on "sadmin", which is a program used to =
remotely
administrate the Solaris system. Without the patch, and if you have =
Solaris
version 2.3 - 2.7, you are at risk. To find out which Solaris version =
you
have, use "uname -a".
We were able to identify the virus with the following characteristics:
1. new files: /usr/bin/wget ; /usr/bin/pico ; /usr/bin/bash
2. /usr/sbin/syslogd was replaced with a new syslogd program of
different size.
3. two new users were added to the system: "pd" and "pdr", one of
which had root access.
If you are interested in more details about a variant of this virus, =
check
out these web sites:
http://www.giac.org/practical/GCIH/Yan_Noblot_GCIH.pdf
http://craiu.pcnet.ro/papers/papers/sadmind.html
We have fixed the sadmin buffer overflow problem with Sun patch: =
108658-02
You can get this patch at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=3Dpatchpage
Now for the bigger picture....
In researching this virus, I have come across other vulnerabilities with =
our
current SunOS, such as vulnerabilities with Sun's ToolTalk, and Calendar
Messenger service.
Foxboro "out of the box", pre-installed software does not have the =
required
Sun patches to make it secure.
So the bigger rhetorical questions are:=20
1. Does Foxboro have a list of recommended Sun patches that have been =
tested
to work with I/A?
2. Does Foxboro install the latest patches in the factory before sending =
out
the product?
3. Does the install-CD (Day 0) include the most current Sun patches?
4. Does Foxboro have a procedure to ensure that I/A users know about
security holes and Patches that are highly recommended from Sun?
In the past year, because of high-profile viruses, we have all got
accustomed to taking the time and effort to keep our Windows computers
secure by ensuring that we have the most up-to-date patches from =
Microsoft.
Perhaps we should do the same with our AW51s. And, perhaps, Foxboro =
should
help.
Regards,
Mark Dumond
Sr App Engineer
FeedForward, Inc.
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: http://www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Other related posts: