CERT ADVISORY FOR ALL USERS
 
      The Computer Emergency Response Team/Coordination Center (CERT/CC)
has received several incident reports concerning users receiving requests
to take an action that results in the capturing of their password.  The
request could come in the form of an e-mail message, a broadcast, or a
telephone call.  The latest ploy instructs the user to run a "test"
program, previously installed by the intruder, which will prompt the
user for their password.  When the user executes the program, the
user's name and password are e-mailed to a remote site.
      These messages can appear to be from a site administrator or root.
In reality, they may have been sent by an individual at a remote site,
who is trying to gain access or additional access to the local machine
via the user's account.
      An intruder can gain access to a system through the unauthorized
use of the (possibly privileged) accounts whose passwords have been
compromised.
 
SAMPLE MESSAGE
      Following is a sample message as received by the CERT (including
spelling errors, etc.).
 
--------------------------------------------------------------------------
 
  OmniCore is experimenting in online - high resolution graphics
  display on the UNIX BSD 4.3 system and it's derivitaves. But, we
  need you're help in testing our new product - TurboTetris.
  So, if you are not to busy, please try out the ttetris game in your
  machine's /tmp directory. just type:
 
  /tmp/ttetris
 
  Because of the graphics handling and screen-reinitialazation, you will
  be prompted to log on again. Please do so, and use your real password.
  Thanks you for your support. You'll be hearing from us soon!
 
 
            OmniCore
 
END OF SAMPLE MESSAGE
-----------------------------------------------------------------------------
 
WHAT TO DO
      If you receive a suspicious message or if you think your system has
been compromised, contact the UKCC Security Officer, Jack Coffman, at
257-2273, uka051@ukcc.uky.edu, immediately.