Advisories : Unauthorized Password Change Requests Via Mail Mes

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Unauthorized Password Change Requests Via Mail Mes

Title:	Unauthorized Password Change Requests Via Mail Mes
Released by:	CERT
Date:	4th April 1991
Printable version:	Click here

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



- ---------------------------------------------------------------------------

CA-91:03

Last Revised:  September 18,1997

                Attached copyright statement



        

                               CERT Advisory

                               April 4, 1991

                    Unauthorized Password Change Requests

                             Via Mail Messages



- ---------------------------------------------------------------------------



DESCRIPTION:



The Computer Emergency Response Team/Coordination Center (CERT/CC) has

received a number of incident reports concerning the receipt of mail

instructing the user to immediately change his/her password.  The user

is further instructed to change the password to one that is specified in

the mail message. 



These mail messages can be made to look as if they have been sent from

a site administrator or root.  In reality, they may have been sent by 

an individual at a remote site, who is trying to gain access to the 

local machine via the user's account.



Several variations of these mail messages are circulating via the Internet 

community.  We are including one such example at the end of this

advisory.





IMPACT:



An intruder can gain access to a system through the unauthorized

use of the (possibly privileged) accounts whose passwords have been 

changed.





SOLUTION:



The CERT/CC recommends the following actions:



    1)  Any user receiving such a message should verify its authenticity

        with his/her system administrator before acting on the instructions

        within the mail message.  If a user has changed his/her password

        per the instructions, he/she should immediately change it again 

        to a secure password and alert his/her system administrator.



    2)  System administrators should check with their user communities

        to ensure that no user has changed his/her password in response to

        one of these mail messages.  If this has occurred, immediately

        have the password changed again.  Further, the system should be

        carefully examined for damage, or changes that may have been

        caused by the intruder.  We also ask that you please contact the

        CERT/CC.



    3)  The CERT/CC recommends that system administrators NEVER mail

        such a request to a user.  That is, NEVER send a request for

        a password change to a user and also specify the new password

        that should be used. 





- ---------------------------------------------------------------------------

SAMPLE MAIL MESSAGE as received by the CERT (including spelling errors, etc.)



    :



  {mail header which may or may not be local} 



    :



This is the system administration:



     Because of security faults, we request that you change your password

     to "systest001". This change is MANDATORY and should be done IMMEDIATLY.

     You can make this change by typing "passwd" at the shell prompt. Then,

     follow the directions from there on.



     Again, this change should be done IMMEDIATLY. We will inform you when

     to change your password back to normal, which should not be longer than

     ten minutes.



                Thank you for your cooperation,



                 The system administration (root)





END OF SAMPLE MAIL MESSAGE

- ---------------------------------------------------------------------------





If you believe that your system has been compromised, contact CERT/CC via

telephone or e-mail.



Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



Internet E-mail: cert@cert.org

Telephone: 412-268-7090 24-hour hotline:

           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,

           on call for emergencies during other hours.



Past advisories and other computer security related information are available

for anonymous ftp from the cert.org (192.88.209.5) system.



- ----------------------------------------------------------------------





Copyright 1991 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Revision History:



September 18,1997  Attached Copyright Statement

















-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS871r9kb5qlZHQEQJYAQCfZwelCrCrowDO+RXFuV7fP1cih/AAoNxC

4ep/G9bVn+RElZia2X2j6oXV

=hdcV

-----END PGP SIGNATURE-----