Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uflorida!uakari.primate.wisc.edu!aplcen!decuac!avolio
From: avolio@decuac.DEC.COM (Frederick M. Avolio)
Newsgroups: comp.unix.ultrix
Subject: Re: UNOFFICIAL SECURITY NOTIFICATION
Message-ID: <2781@decuac.DEC.COM>
Date: 18 Oct 89 14:20:58 GMT
References: <2780@decuac.DEC.COM>
Sender: news@decuac.DEC.COM
Reply-To: avolio@decuac.DEC.COM (Frederick M. Avolio)
Organization: Digital Equipment Corporation, SWS, Landover, MD
Lines: 22

More unoffcial suggested steps (these from a CERT Advisory):

	1) Check for a bogus /usr/bin/login.  The sum program reports:
		27379    67	for VAX/Ultrix 3.0

	2) Check for a bogus /usr/etc/telnetd.  The sum program reports:
		23552    47	for VAX/Ultrix 3.0

	3) Look for .savacct in either /usr/etc or in users' directories.
	   This may be the file that the new login program creates.  It
	   could have a different name on your system.

	4) Upgrade to Ultrix 3.1 ASAP.

	5) Monitor accounts for users having passwords that can be found in
	   the /usr/dict/words file or have simple passwords like a persons
	   name or their account name.

	6) Search through the file system for programs that are setuid root.

	7) Disable or modify the tftpd program so that anonymous access to
	   the file system is prevented.