LISTSERV - HP3000-L Archives

HP3000-L Archives

January 2005, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L January 2005, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: HP3000 and virus(s)
From:	"John K." <[log in to unmask]>
Reply To:	John K.
Date:	Mon, 24 Jan 2005 02:36:14 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

Going way back to the "Classic" days...

I am only aware of one "virus" which successfully infected a network of HP
3000s, and that was back in the "Classic" days.  Please note that the virus
would NOT run on later versions of MPE V and would NOT run on MPE/XL or
MPE/iX, so there is no danger that the virus would run today.

Since this is a public forum, I won't post the details here, just a brief
overview.  If you are curious as to the details, please email me
directly.  If you are someone I know or you regularly post here I'll send
you the details.

The "virus" exploited a bug in MPE and weaknesses in HPDESK.  The MPE bug
was immediately reported to HP, and very quickly fixed by HP.

Basically, the code used HPDESK to find connected systems, then exploited
the MPE bug, weaknesses in HPDESK, and where possible, default passwords to
compromise the remote system.

Anyway, Management decided that it would be good to see just how dangerous
the bug and HPDESK weaknesses were by having the systems programmers do a
"proof of concept" and try to compromise as many of the HP 3000 systems in
their network as possible.

After a few days the code was ready and a test was scheduled.  The code was
launched on one HP 3000 and...

The management was not happy with the speed at which the virus propagated
through the network.  Basically, every machine in the network had been
infected in less than five minutes time.

The biggest lesson they learned was to NEVER use the default HPDESK,
SUPPORT,  TELESUP, CSL3000, HPOFFICE, HPPL85, HPPL87, HPPL89, HPWORD,
ITF3000, etc. account and user passwords (those machines were the easiest
and fastest to compromise).  Of course, that applies to any HP or vendor
account, but in the case of the HPDESK account and its use of NS, it was
particularly important.

Many policy changes were made in the aftermath of the test - mainly making
sure that EVERY password was changed from its default at system
installation, EVERY password was routinely changed, EVERY account had a
password, EVERY user had a password, and EVERY group had a password.

John
*** When replying to this message, please do not delete these ***
*** signature lines. Otakon Katsucon HP3000-L @classiccmp.org ***

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU