We have seen incidents in which intruders obtain password files from sites and then try to compromise accounts by cracking passwords. Once intruders gain access to a user account, they attempt to gain root access through a cracked root password or by exploiting another vulnerability.
These incidents point to the need for system administrators to adequately defend their systems from this type of attack. We urge you to do the following.
For more information on one-time passwords, see Appendix B in
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
Information on known sendmail vulnerabilities can be obtained from:
ftp://info.cert.org/pub/tools/smrsh/smrsh is also included in the sendmail 8.7.5 distribution.
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
http://www.cert.mil/techtips/anonymous_ftp_config
You may wish to verify that good passwords are being selected at your site (in accordance with your organization's policies and procedures). Crack is a tool you can use to do this. It is a freely available program designed to identify standard UNIX DES encrypted passwords that can be found in widely available dictionaries by standard guessing techniques outlined in the Crack documentation.
Crack is available by anonymous FTP from
ftp://info.cert.org/pub/tools/crack
Keeping up-to-date can help minimize the likelihood that you will be root compromised if user accounts are compromised. For information about the latest patches and workarounds, contact your vendor. You can also find information in
ftp://info.cert.org/pub/latest_sw_versions
Use all of the logging facilities available, including wtmp, syslog, and process accounting. Use tcp wrappers and log all connection attempts for all services made available via inetd. Examine these logs looking for suspicious activity. One tool that is available to analyze syslog files is SWATCH. It is available at
ftp://ftp.stanford.edu/general/security-tools/swatch