SUMMARY: Cracker trail?

From: Ross.Stocks.INSDRS01@nt.com
Date: Tue Apr 18 1995 - 15:17:55 CDT


What a great resource. And fast, too. Much faster than me in fact.
But here is my summary, late though it is.

========================================================================

Original post:

I have a wizard-wannabe on my network who fancies himself quite the
expert when it comes to circumventing obstacles such as firewalls, etc.

Recently, at his own suggestion as senior analyst of his group, his and
his group's root access was removed.

Shortly afterwards I found evidence suggesting, though not proving that
he had acquired root again. (Some unknown person had remote logged in
as root from his machine).

I changed the passwd again and the following morning saw several
unsuccessful su attempts from his machine.

Now one of his workstations is behaving oddly. Refusing all rlogin
attempts from apparently all users including root, and from all other
hosts. It responds:

%rlogin docs
Password:
xxxxxxxx
login: setgid: Not owner
Connection closed.

=======================================================================

Most recognized the file corruption straight away, but followed the line
of thought that I started, and assumed the corruption was malicious.
The more humble responses related their own experiences with I/O
(incompetent operator) problems and hit the nail on the head. The
actual cause of the immediate problem was my own mistake in using the
find command. The irony is that the syntax was provided by my suspect. But I tested the individual parts of the command first,so that sort of
absolves him. At any rate, I intended to chown all of one user's files.
I did indeed chown those files as well as all others on the machine.
Stupid computer should have known that wasn't what I meant!

As I still have the unexplained login attempts, my suspect is still
suspect and I will be incoprorating your suggestions.

Thanks for hints and/or sympathy:

minh%codac.codac.telecom.com.au
blymn@awadi.com.au
kevin.sheehan@uniq.com.au
jwright@phy.ucsf.edu
celeste@xs.com
cds@ssds.com
heas@maelsrom.timeplex.com
bern@ti.uni-trier.de (I agree with your <Grumble>. I don't add the
        Reply-To... Some nameserver along the way does that. I know it
        is incorrect hence, my routine inclusion of my email addr in my
        signature. Now if I ran that function...)
matt@uts.edu.au
mikem@centerline.com
kobryhim@pts.mot.com
spev%badger.state.wi.us
hoff%vlsi1.racal.com
wrhea@spd.dsccc.com
citicds!cntower!arash%uunet.uu.net
mattias%txc.com
stephen@networks.com
dfalk%sqwest.bc.ca
raoul%mit.edu
strombrg@uci.edu
jeff%erie.irc.nrc.ca
ft%maxwell.gic.att.com
allyn%allyn.com

Thanks especially for additional hints and tools to try out:

jamesm@matrix.newpaltz.edu
cjudi@nesmgr.nlm.nih.gov
rali%hri.com
pamela%jupiter.legato.com
Dave.Curado%hk.super.net
glenn@uniq.com.au
Birger.Wathne%vest.sdata.no

Regards to all,
Ross
ross.stocks@nt.com



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:22 CDT