From daemon Sat Jan 8 20:28:20 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA18347; Sat, 8 Jan 94 20:28:19 -0800 Date: Sat, 8 Jan 94 20:28:19 -0800 From: root (Root of all evil) Message-Id: <9401090428.AA18347@wps.com> To: root Subject: %%%% wps.com: DENY rshd from bin@battles.HIP.Berkeley.EDU@bin@battles.HIP.Berkeley.EDU Status: OR [battles.HIP.Berkeley.EDU] Finger information access denied for your host Only hosts runing ident server (RFC931) permitted access From tomj Sun Jan 9 02:04:49 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA20455; Sun, 9 Jan 94 02:04:41 -0800 From: tomj (Tom Jennings) Message-Id: <9401091004.AA20455@wps.com> Subject: Security problem? To: craig@CS.BERKELEY.EDU, sklower@cs.berkeley.edu Date: Sun, 9 Jan 1994 02:04:40 -0800 (PST) Cc: tomj (Tom Jennings) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2267 Status: OR Hello, got a security question for you... I'm admin for wps.com. I got a funny rsh attempt, which my tcp_wrapper caught. I also found a funny message stuck in my amil queue on another machine I admin on. tlg.org (both wps and tlg are in WHOIS). The rsh as user bin bothers me a bit. I poked around in the obvious places and came up with Peter Shipley as a username. I wrote him simply askign what was going on. Hopefully it's just an errant slip-of-the-keystroke. finger @battles.hip.berkeley.edu says "remote host requires RFC931", so I finally got around to installing RFC1413 stuff, aka identd. I still can't finger, though it's certainly possible I just screwed up! I'm not too alarmed, angry, etc... and I'm reasonably new at this admin stuff so I hope this is in line with reasonableness. Thanks! My connect log, edited to include any berkeley.edu references. Jan 8 20:25:34 fido fingerd[18317]: connect from shipley@battles.HIP.Berkeley.EDU Jan 8 20:25:52 fido fingerd[18320]: connect from shipley@battles.HIP.Berkeley.EDU Jan 8 20:26:45 fido telnetd[18329]: connect from shipley@battles.HIP.Berkeley.EDU Jan 8 20:28:16 fido rshd[18339]: refused connect from bin@battles.HIP.Berkeley.EDU Jan 8 20:29:06 fido fingerd[18352]: connect from shipley@battles.HIP.Berkeley.EDU Jan 8 20:39:29 fido fingerd[18393]: connect from violet.Berkeley.EDU Jan 8 20:40:04 fido fingerd[18404]: connect from violet.Berkeley.EDU Jan 8 20:40:20 fido fingerd[18405]: connect from violet.Berkeley.EDU Jan 8 21:32:16 fido ntalkd[18614]: connect from remarque.Berkeley.EDU My tcp_wrapper attempts to finger upon connect/service denial. The text is what I get when I manually finger "@host". (The subject line has a bad user@host cuz my script is bad!) Forwarded message: > From daemon Sat Jan 8 20:28:20 1994 > Date: Sat, 8 Jan 94 20:28:19 -0800 > From: root (Root of all evil) > Message-Id: <9401090428.AA18347@wps.com> > To: root > Subject: %%%% wps.com: DENY rshd from bin@battles.HIP.Berkeley.EDU@bin@battles.HIP.Berkeley.EDU > > [battles.HIP.Berkeley.EDU] > > Finger information access denied for your host > > Only hosts runing ident server (RFC931) permitted access > -- Tom Jennings -- tomj@wps.com -- World Power Systems -- San Francisco, Calif. From merde.dis.org!shipley@merde.dis.org Sun Jan 9 03:27:44 1994 Received: from soda.Berkeley.EDU by fido.wps.com (5.67/wps.com-hackery) id AA20710; Sun, 9 Jan 94 03:27:41 -0800 Received: from merde.dis.org (uucp@localhost) by soda.berkeley.edu (8.6.4/PHILMAIL-1.10) with UUCP id DAA17886 for tomj@wps.com; Sun, 9 Jan 1994 03:16:17 -0800 Received: from localhost.Berkeley.EDU by merde.dis.org (4.1/SMI-4.2) id AA20525; Sun, 9 Jan 94 03:11:22 PST Message-Id: <9401091111.AA20525@merde.dis.org> To: tomj@wps.com (Tom Jennings) Subject: Re: hello... Phone: (510) 849-2230 Snail-Address: 2560 Bancroft way #51;Berkeley CA 94704-1700 Precedence: special-delivery In-Reply-To: Your message of Sat, 08 Jan 1994 23:40:06 -0800. <9401090740.AA19023@wps.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <20522.758113877.1@merde.dis.org> Date: Sun, 09 Jan 1994 03:11:17 -0800 From: Peter shipley Status: OR >I got an rsh attempt today from your host (battleship) today. Can you >tell me what's up? > nothing, I got email and a bunch of fingers from a site I was not able to id so I tried to id it. -Pete From merde.dis.org!shipley@merde.dis.org Sun Jan 9 03:42:52 1994 Received: from soda.Berkeley.EDU by fido.wps.com (5.67/wps.com-hackery) id AA20763; Sun, 9 Jan 94 03:42:48 -0800 Received: from merde.dis.org (uucp@localhost) by soda.berkeley.edu (8.6.4/PHILMAIL-1.10) with UUCP id DAA18226 for tomj@fido.wps.com; Sun, 9 Jan 1994 03:35:29 -0800 Received: from localhost.Berkeley.EDU by merde.dis.org (4.1/SMI-4.2) id AA20715; Sun, 9 Jan 94 03:34:13 PST Message-Id: <9401091134.AA20715@merde.dis.org> To: tomj@fido.wps.com Precedence: special-delivery Phone: (510) 849-2230 Snail-Address: 2560 Bancroft way #51;Berkeley CA 94704-1700 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Content-Id: <20712.758115248.0@merde.dis.org> Date: Sun, 09 Jan 1994 03:34:09 -0800 From: Peter shipley Status: O ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <20712.758115248.1@merde.dis.org> I take it these were you? ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <20712.758115248.2@merde.dis.org> Content-Description: Forwarded Message Return-Path: daemon Return-Path: Received: by merde.dis.org (4.1/SMI-4.2) id AB19922; Sat, 8 Jan 94 23:38:58 PST Date: Sat, 8 Jan 94 23:38:58 PST From: Mailer-Daemon (Mail Delivery Subsystem) Subject: Returned mail: Unable to deliver mail Message-Id: <9401090738.AB19922@merde.dis.org> To: Postmaster ----- Transcript of session follows ----- <<< expn shipley <<< expn peter 550 peter... User unknown <<< exit 500 Command unrecognized <<< quit ----- No message was collected ----- ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <20712.758115248.3@merde.dis.org> Content-Description: system logs for wps.com Jan 8 20:28:18 merde fingerd[19251]: finger from host fido.wps.com Jan 8 21:01:26 merde fingerd[19488]: finger from host fido.wps.com Jan 8 23:35:23 merde fingerd[19919]: finger from host fido.wps.com Jan 9 01:14:38 merde fingerd[20092]: finger from host fido.wps.com Jan 9 01:24:05 merde fingerd[20098]: finger from host fido.wps.com Jan 9 01:43:06 merde fingerd[20135]: finger from host fido.wps.com Jan 9 01:51:48 merde fingerd[20171]: finger from host fido.wps.com Jan 8 20:26:45 merde identd[19242]: Connection from fido.wps.com Jan 8 20:28:14 merde identd[19250]: Connection from fido.wps.com Jan 8 20:29:04 merde identd[19253]: Connection from fido.wps.com Jan 8 20:29:05 merde identd[19253]: Successful lookup: 3298 , 79 : shipley Jan 9 01:15:13 merde identd[20095]: Connection from fido.wps.com Jan 9 01:15:28 merde identd[20095]: Returned: 2516 , 113 : NO-USER Jan 9 01:16:08 merde identd[20096]: Connection from fido.wps.com Jan 9 01:16:19 merde identd[20096]: Returned: 2517 , 113 : NO-USER Jan 9 01:24:25 merde identd[20100]: Connection from fido.wps.com Jan 9 01:24:40 merde identd[20100]: Returned: 2581 , 113 : NO-USER Jan 9 01:30:42 merde identd[20119]: Connection from fido.wps.com Jan 9 01:31:27 merde identd[20120]: Connection from fido.wps.com Jan 9 01:31:27 merde identd[20120]: Returned: 1023 , 113 : NO-USER Jan 9 01:31:35 merde identd[20121]: Connection from fido.wps.com Jan 9 01:31:35 merde identd[20121]: Returned: 1023 , 113 : NO-USER Jan 9 01:32:08 merde identd[20122]: Connection from fido.wps.com Jan 9 01:32:09 merde identd[20122]: Returned: 2666 , 113 : NO-USER Jan 9 01:32:19 merde identd[20123]: Connection from fido.wps.com Jan 9 01:32:19 merde identd[20123]: Returned: 2665 , 113 : NO-USER Jan 9 01:32:27 merde identd[20124]: Connection from fido.wps.com Jan 9 01:32:27 merde identd[20124]: Returned: 2664 , 113 : NO-USER Jan 9 01:32:37 merde identd[20119]: Returned: 2666 , 113 : NO-USER Jan 9 01:34:21 merde identd[20126]: Connection from fido.wps.com Jan 9 01:34:41 merde identd[20127]: Connection from fido.wps.com Jan 9 01:34:54 merde identd[20127]: Returned: 2681 , 113 : NO-USER Jan 9 01:51:18 merde identd[20162]: Connection from fido.wps.com Jan 9 01:51:34 merde identd[20162]: Successful lookup: 113 , 2713 : sys ------- =_aaaaaaaaaa0-- From tomj Sun Jan 9 12:29:16 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA22273; Sun, 9 Jan 94 12:29:01 -0800 From: tomj (Tom Jennings) Message-Id: <9401092029.AA22273@wps.com> Subject: Re: hello... To: shipley@merde.dis.org (Peter shipley) Date: Sun, 9 Jan 1994 12:29:01 -0800 (PST) Cc: tomj (Tom Jennings) In-Reply-To: <9401091111.AA20525@merde.dis.org> from "Peter shipley" at Jan 9, 94 03:11:17 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 513 Status: OR > > >I got an rsh attempt today from your host (battleship) today. Can you > >tell me what's up? > > > > nothing, I got email and a bunch of fingers from a site I was not able > to id so I tried to id it. But... my site is perfectly DNS'ed, I'm running RFC1413 stuff. I too peek and poke when I get funny connect attempts (multiple logins from .MIL sites, etc) using WHOIS, nslookup, etc... but tell me, why an rsh user bin? -- Tom Jennings -- tomj@wps.com -- World Power Systems -- San Francisco, Calif. From tomj Sun Jan 9 12:36:09 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA22330; Sun, 9 Jan 94 12:35:53 -0800 From: tomj (Tom Jennings) Message-Id: <9401092035.AA22330@wps.com> Subject: Re: your mail To: shipley@merde.dis.org (Peter shipley) Date: Sun, 9 Jan 1994 12:35:53 -0800 (PST) Cc: tomj (Tom Jennings) In-Reply-To: <9401091134.AA20715@merde.dis.org> from "Peter shipley" at Jan 9, 94 03:34:09 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1151 Status: OR BTW, all of this below is after the rsh..bin. It's the reason I was doing it in the first place! > I take it these were you? Yup.. the SMTP thing was, I did a bunch of WHOIS', found dis.org, saw your name, telnet to battles.hip.berkeley.edu 25, 'expn shipley' to verify I had your username correctly, then I sent off my orig. msg to you. > <<< expn shipley > <<< expn peter > 550 peter... User unknown > <<< exit > 500 Command unrecognized > <<< quit These were after the finger failed. It said, "must be running RFC931" so I re-checked by auth stuff, and was basically debigging why it didn't work. Never found out. (Ideas?) > Jan 8 20:28:18 merde fingerd[19251]: finger from host fido.wps.com [...] > Jan 9 01:24:40 merde identd[20100]: Returned: 2581 , 113 : NO-USER > Jan 9 01:30:42 merde identd[20119]: Connection from fido.wps.com > Jan 9 01:31:27 merde identd[20120]: Connection from fido.wps.com [...] > Jan 9 01:51:18 merde identd[20162]: Connection from fido.wps.com > Jan 9 01:51:34 merde identd[20162]: Successful lookup: 113 , 2713 : sys -- Tom Jennings -- tomj@wps.com -- World Power Systems -- San Francisco, Calif. From sklower@vangogh.CS.Berkeley.EDU Sun Jan 9 11:12:22 1994 Received: from vangogh.CS.Berkeley.EDU by fido.wps.com (5.67/wps.com-hackery) id AA21977; Sun, 9 Jan 94 11:12:20 -0800 Received: from localhost (sklower@localhost) by vangogh.CS.Berkeley.EDU (8.6.5.Beta10/8.6.3) id LAA14464; Sun, 9 Jan 1994 11:11:47 -0800 Date: Sun, 9 Jan 1994 11:11:47 -0800 From: Keith Sklower Message-Id: <199401091911.LAA14464@vangogh.CS.Berkeley.EDU> To: craig@cs.berkeley.edu, sklower@cs.berkeley.edu, tomj@wps.com Subject: Re: Security problem? Cc: tomj@fido.wps.com Status: OR I have forwarded your note to Cliff Frost, who generally pursues campus cracking attempts, etc. From randy@psg.com Sun Jan 9 08:50:08 1994 Received: from rip.psg.com by fido.wps.com (5.67/wps.com-hackery) id AA21617; Sun, 9 Jan 94 08:50:05 -0800 Received: by rip.psg.com (Smail3.1.28.1 #6) id m0pJ3Kz-000308C; Sun, 9 Jan 94 08:50 PST Message-Id: From: randy@psg.com (Randy Bush) Subject: Re: BTW... To: tomj@wps.com (Tom Jennings) Date: Sun, 9 Jan 1994 08:50:00 -0800 (PST) In-Reply-To: <9401091011.AA20524@wps.com> from "Tom Jennings" at Jan 9, 94 02:11:02 am Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 223 Status: OR > So WPS is virtually bristling with defensive weaponry. Yes, but we're still sieves. > I also wrote to berkeley admin explaining thwe whole thing with > pertinent tech info. When that happens, I file with CERT. From tomj Sun Jan 9 12:46:16 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA22395; Sun, 9 Jan 94 12:46:04 -0800 From: tomj (Tom Jennings) Message-Id: <9401092046.AA22395@wps.com> Subject: Re: BTW... To: randy@psg.com (Randy Bush) Date: Sun, 9 Jan 1994 12:46:03 -0800 (PST) Cc: tomj (Tom Jennings) In-Reply-To: from "Randy Bush" at Jan 9, 94 08:50:00 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1753 Status: OR > > So WPS is virtually bristling with defensive weaponry. > > Yes, but we're still sieves. I was punning... This is how I feel about what I've done: I know the stuff I've covered is pretty fucking solid. Tripwire on a R/O diskette, etc. RFC1413, COPS (renamed cobol), proper permissions, good passwords, etc... But I left a basement door open somewhere. > > I also wrote to berkeley admin explaining thwe whole thing with > > pertinent tech info. They responded. Also, I wrote to the person who did it, who is not unknown to me (surprise). And asked, 'why did you do an rsh user bin'? He said lamely, I got a bunch of fingers and telnets from a site I couldn't ID and I was trying to figure out who'. Crock -- his good friend Flesh is a user here, they converse and hang out all the time, my DNS and site info is utterly correct, and besides, rshell isn't the friendliest hello I've ever received. Basically, he's a cracker. He emailed my frags of his logs, you could hear the arrogant pride that he'd 'caught' me pokign around (SMTP expn to verify his username, since I could not finger etc), though I did a bunch of fingers trying to figure out why my identd didn't satisfy his claimed requiirement for rfc931. I asked again, but your rsh..bin came first, why? We'll see what the answer is. I figure, it's better to converse reasonbly with him than to immediately alienate him. I have no illusions of converting people into Right Ways, but I'm not afraid to talk to assholes and learn what I can. > When that happens, I file with CERT. I'll go look in the COPS docs, theres a contact for 'em in there. If you know it offhand, email sometime... -- Tom Jennings -- tomj@wps.com -- World Power Systems -- San Francisco, Calif. From shipley@remarque.berkeley.edu Mon Jan 10 10:46:50 1994 Received: from [128.32.152.164] by fido.wps.com (5.67/wps.com-hackery) id AA28498; Mon, 10 Jan 94 10:45:52 -0800 Received: from localhost by remarque.berkeley.edu (8.6.4/1.31) id KAA06170; Mon, 10 Jan 1994 10:45:20 -0800 Message-Id: <199401101845.KAA06170@remarque.berkeley.edu> To: tomj@wps.com (Tom Jennings) Cc: flesh@wps.com Subject: Re: hello... Precedence: special-delivery Phone: (510) 849-2230 Snail-Address: 2560 Bancroft way #51;Berkeley CA 94704-1700 Date: Mon, 10 Jan 1994 10:45:18 -0800 From: Evil Pete Status: OR >> >I got an rsh attempt today from your host (battleship) today. Can you >> >tell me what's up? >> > >> >> nothing, I got email and a bunch of fingers from a site I was not able >> to id so I tried to id it. > >But... my site is perfectly DNS'ed, I'm running RFC1413 stuff. I too >peek and poke when I get funny connect attempts (multiple logins from >.MIL sites, etc) using WHOIS, nslookup, etc... but tell me, why an rsh >user bin? I was getting email from "flesh" (with a ex-SO of mine) my all of a sudden and I was curious on who/where he would get an account (since he seemed to refuse to give his real name to anyone when I met him). the rsh bit is a standard bit to determin what a system is and if he was still logged on (we were talking of meeting up at a club in SF and finger was not saying anything) -Pete PS: did you email berkeley or anything, my net connection has all of a sudden failed From tomj Mon Jan 10 12:25:01 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA28829; Mon, 10 Jan 94 12:24:50 -0800 From: tomj (Tom Jennings) Message-Id: <9401102024.AA28829@wps.com> Subject: Re: hello... To: shipley@remarque.berkeley.edu (Evil Pete) Date: Mon, 10 Jan 1994 12:24:49 -0800 (PST) Cc: tomj (Tom Jennings) In-Reply-To: <199401101845.KAA06170@remarque.berkeley.edu> from "Evil Pete" at Jan 10, 94 10:45:18 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2002 Status: O (Fragment from Pete, orig. below) > the > rsh bit is a standard bit to determine what a system is and if he was GIMME A BREAK!! Attempting to execute programs on my side of the fence is called cracking. I know that you talk to Flesh regularly, and that email from him at this site is not news, and even if it was, you could call him on the phone, ask, whatever, or ask me, or any number of things. None of this is news, I say it for the record. A local system was taken down by an rsh..bin a week ago. Even if you never so much as PINGed it, maybe you can understand what that looks like from here. I really tried to assume it was as innocent as you claim. Really. Not only was I unable to come up with any reasoanble use of an uninvited rsh myself, people I talked to were amazed I even considered it. Sorry if my self-defense has caused you any troubles, but I think what you did overstepped bounds of reasonableness. Tom Jennings > > > >> >I got an rsh attempt today from your host (battleship) today. Can you > >> >tell me what's up? > >> > > >> > >> nothing, I got email and a bunch of fingers from a site I was not able > >> to id so I tried to id it. > > > >But... my site is perfectly DNS'ed, I'm running RFC1413 stuff. I too > >peek and poke when I get funny connect attempts (multiple logins from > >.MIL sites, etc) using WHOIS, nslookup, etc... but tell me, why an rsh > >user bin? > > I was getting email from "flesh" (with a ex-SO of mine) my all of a > sudden and I was curious on who/where he would get an account (since he > seemed to refuse to give his real name to anyone when I met him). the > rsh bit is a standard bit to determin what a system is and if he was > still logged on (we were talking of meeting up at a club in SF and > finger was not saying anything) > > > -Pete > > PS: did you email berkeley or anything, my net connection has all of a sudden > failed > -- Tom Jennings -- tomj@wps.com -- World Power Systems -- San Francisco, Calif. From shipley@remarque.berkeley.edu Mon Jan 10 10:55:18 1994 Received: from remarque.Berkeley.EDU by fido.wps.com (5.67/wps.com-hackery) id AA28531; Mon, 10 Jan 94 10:55:09 -0800 Received: from localhost by remarque.berkeley.edu (8.6.4/1.31) id KAA06323; Mon, 10 Jan 1994 10:55:07 -0800 Message-Id: <199401101855.KAA06323@remarque.berkeley.edu> To: tomj@wps.com (Tom Jennings), flesh@wps.com Subject: hey Precedence: special-delivery Phone: (510) 849-2230 Snail-Address: 2560 Bancroft way #51;Berkeley CA 94704-1700 Date: Mon, 10 Jan 1994 10:55:05 -0800 From: Evil Pete Status: OR I just got ucb/talked request from rob (rob@violet.berkeley.edu) I though we settled thing that you were not being attacked? would you mind emailing rob@agate.berkeley.edu and cliff@violet.berkeley.edu and saying that I was not trying to hack you were in commuication with me? Gee, do you really think I would try to break into your system (let alone do it from my home machine). Would I have gotten into a email conversation with you and extange syslog files? From randy@psg.com Mon Jan 10 11:26:06 1994 Received: from rip.psg.com by fido.wps.com (5.67/wps.com-hackery) id AA28663; Mon, 10 Jan 94 11:26:02 -0800 Received: by rip.psg.com (Smail3.1.28.1 #6) id m0pJSF2-00030OC; Mon, 10 Jan 94 11:25 PST Message-Id: From: randy@psg.com (Randy Bush) Subject: Re: sanity check please...! To: tomj@wps.com (Tom Jennings) Date: Mon, 10 Jan 1994 11:25:32 -0800 (PST) Cc: jeff@onion.rain.com (Jeff Beadles) In-Reply-To: <9401101922.AA28643@wps.com> from "Tom Jennings" at Jan 10, 94 11:22:53 am Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 412 Status: OR > Jan 8 20:28:16 fido rshd[18339]: refused connect from bin@battles.HIP.Berkeley.EDU >> rsh bit is a standard bit to determin what a system is and if he was >> still logged on (we were talking of meeting up at a club in SF and >> finger was not saying anything) Bullshit! rsh is a crack attempt, period. Wish one could capture the parms. Hmmm. Maybe you need a fake rshd which just logs the parms! randy From shipley@remarque.berkeley.edu Mon Jan 10 13:01:42 1994 Received: from remarque.Berkeley.EDU by fido.wps.com (5.67/wps.com-hackery) id AA29013; Mon, 10 Jan 94 13:01:39 -0800 Received: from localhost by remarque.berkeley.edu (8.6.4/1.31) id NAA08329; Mon, 10 Jan 1994 13:01:36 -0800 Date: Mon, 10 Jan 1994 13:01:36 -0800 From: shipley@remarque.berkeley.edu (Pete Shipley) Message-Id: <199401102101.NAA08329@remarque.berkeley.edu> To: tomj@wps.com Subject: Re: hello... Cc: flesh@wps.com, rob@violet.berkeley.edu Status: OR >Fragment from Pete, orig. below) >> the >> rsh bit is a standard bit to determine what a system is and if he was > >GIMME A BREAK!! Attempting to execute programs on my side of the >fence is called cracking. I know that you talk to Flesh regularly, >and that email from him at this site is not news, and even if it >was, you could call him on the phone, ask, whatever, or ask me, or >any number of things. None of this is news, I say it for the record. > >A local system was taken down by an rsh..bin a week ago. Even if >you never so much as PINGed it, maybe you can understand what that >looks like from here. > >I really tried to assume it was as innocent as you claim. Really. Not >only was I unable to come up with any reasoanble use of an uninvited >rsh myself, people I talked to were amazed I even considered it. Well I was being honest with you. If I was cracking your system I would have some *alot* more them just rsh a ls. not to sound threating but I could have run script against you that would have almost run every known security test I know on you. this is a tool I use for verifying peoples security when I do consulting work. I am the Author of a book called hackman that list the many was to crack a system with examples. [I was gonna list the many things I would try iff I was hacking your system but (agian) I do not want to sound like I am threating you] if you want a referance on me talk to Eric Hughes (hughes@soda.berkeley.edu) or flesh (although I do not know tha latter very well) or Erik Fair (fair@apple.com). Sorry that there was a miss understanding, but I guess I was being too honest with you. I could have lied and blaimed it on a cacker/guest account, but no I was up front (and even got a chuckle forwarding my logs of your probs to you). I know what it is like being attacked, *every* account I have had on the internet has been attack over the years (that is why I shelled out the $$ for a home sparc station). I have found hackers on line reading my email then doing a 'rm -rf *' (to this system remarque!) > >Sorry if my self-defense has caused you any troubles, troubles yes, loss of internet connectivity is a pain in the ass. >but I think what >you did overstepped bounds of reasonableness. > I guess I did, but I also assumed that people would not do crazy if I try to id a system. I guess we both over reacted. As I mentioned, I was *very* curious when I got email from flesh and one of my Ex-SO's (would I was very fond of). as for calling flesh, I do not even know his real name or his phone number. From rob@gangrene.berkeley.edu Mon Jan 10 16:57:31 1994 Received: from gangrene.Berkeley.EDU by fido.wps.com (5.67/wps.com-hackery) id AA29971; Mon, 10 Jan 94 16:57:29 -0800 Received: from localhost.Berkeley.EDU by gangrene.berkeley.edu (8.6.4/1.33) id QAA07484; Mon, 10 Jan 1994 16:55:59 -0800 Message-Id: <199401110055.QAA07484@gangrene.berkeley.edu> To: Peter shipley Cc: blojo@xcf.berkeley.edu, tomj@wps.com Subject: Re: battles.hip In-Reply-To: Your message of "Mon, 10 Jan 1994 04:20:17 PST." <9401101220.AA26250@merde.dis.org> Date: Mon, 10 Jan 1994 16:55:59 -0800 From: Rob Robertson Status: OR [regarding turning on battles.hip.berkeley.edu SLIP/PPP account]. yeah, i'd like something more explicit from Mr. Jennings, and addressed from Tom to me, before i turn the account back on. rob From shipley@remarque.berkeley.edu Mon Jan 10 16:58:17 1994 Received: from tlg.org by fido.wps.com (5.67/wps.com-hackery) id AA00105; Mon, 10 Jan 94 16:58:15 -0800 Received: from remarque.berkeley.edu by fnord.tlg.org (8.3/wps.com-hackery) id PAA06382; Mon, 10 Jan 1994 15:20:50 -0800 Received: from localhost by remarque.berkeley.edu (8.6.4/1.31) id PAA10574; Mon, 10 Jan 1994 15:22:10 -0800 Date: Mon, 10 Jan 1994 15:22:10 -0800 From: shipley@remarque.berkeley.edu (Pete Shipley) Message-Id: <199401102322.PAA10574@remarque.berkeley.edu> To: flesh@wps.com, tomj@wps.com Subject: email me at Status: OR email me remarque.berkeley.edu since email to dis.org is disconnected till I set something else up. From tomj Mon Jan 10 18:02:23 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA00522; Mon, 10 Jan 94 18:01:54 -0800 From: tomj (Tom Jennings) Message-Id: <9401110201.AA00522@wps.com> Subject: Re: battles.hip To: rob@gangrene.berkeley.edu (Rob Robertson) Date: Mon, 10 Jan 1994 18:01:54 -0800 (PST) Cc: blojo@xcf.berkeley.edu, shipley@remarque.berkeley.edu In-Reply-To: <199401110055.QAA07484@gangrene.berkeley.edu> from "Rob Robertson" at Jan 10, 94 04:55:59 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2965 Status: OR > [regarding turning on battles.hip.berkeley.edu SLIP/PPP account]. > yeah, i'd like something more explicit from Mr. Jennings, and > addressed from Tom to me, before i turn the account back on. Well I'm sorry this all happened, for starters. I have a complete log of my conversations and log frags from the actual event. I'll do a rundown. If you want the whole email archive I'll give it to whoever's interested. ---- This was my first indication of trouble. I run tcp_wrapper, and have rsh disallowed with a few exceptions. It mailed me this: >From daemon Sat Jan 8 20:28:20 1994 Date: Sat, 8 Jan 94 20:28:19 -0800 Message-Id: <9401090428.AA18347@wps.com> Subject: %%%% wps.com: DENY rshd from bin@battles.HIP.Berkeley.EDU [battles.HIP.Berkeley.EDU] Finger information access denied for your host Only hosts runing ident server (RFC931) permitted access When wrapper denies service, I have it do finger user@domain or @domain. The above text is what it returned. I did not have identd running at this time. I installed it that very night. I belive I saw this message about 10pm? that night. While I was installing and testing identd, I did a lot of fingers on battles.hip. I might have done them before writing Rob, but it was within an hour or so. I admit in retrospect that might look alarming, but I also figured you had a custom fingerd there, and in any case was subsequently documented. ---- I then did WHOIS, nslookups, etc on battles.hip, found dis.org, Peter's name, etc, which I checked with expn at the SMTP port. I wrote the Berlekey admin (obtained from WHOIS) and Peter at the same time, and simply asked Peter what was going on. A synopsis of our correspondence follows, over the next 24 hrs: tomj: >> >I got an rsh attempt today from your host (battleship) today. Can you >> >tell me what's up? >> > peter: >> nothing, I got email and a bunch of fingers from a site I was not able >> to id so I tried to id it. tomj: >But... my site is perfectly DNS'ed, I'm running RFC1413 stuff. I too >peek and poke when I get funny connect attempts (multiple logins from >.MIL sites, etc) using WHOIS, nslookup, etc... but tell me, why an rsh >user bin? peter: I was getting email from "flesh" [user at wps.com] [...] I was curious on who/where he would get an account [...] The rsh bit is a standard bit to determin what a system is and if he was still logged on (we were talking of meeting up at a club in SF and finger was not saying anything) Basically it was left at this. Peter apparently meant no harm, and no damage was done. I disagree that rsh..bin is "acceptable behavior". It was however a pretty obvious attempt, ie. not very sneaky if break-in was the goal; however when I saw the attempt I just followed S.O.P. for such things. That's all. -- Tom Jennings -- tomj@wps.com -- World Power Systems -- San Francisco, Calif. The Little Garden, an S.F. Bay Area Internetwork -- email to info@tlg.org From daemon Mon Jan 10 18:04:25 1994 Received: by fido.wps.com (5.67/wps.com-hackery) id AA00550; Mon, 10 Jan 94 18:04:24 -0800 Date: Mon, 10 Jan 94 18:04:24 -0800 From: root (Root of all evil) Message-Id: <9401110204.AA00550@wps.com> To: root Subject: %%%% wps.com: RED-FLAG telnetd from @ack.Berkeley.EDU Status: OR [ack.Berkeley.EDU] Login Name TTY Idle When Where rob Rob Robertson p0 1:31 Wed 18:40 gangrene.berkele cliff Cliff Frost p1 53 Thu 16:08 128.32.152.242:0 cliff Cliff Frost p2 28 Thu 16:08 128.32.152.242:0 rob Rob Robertson p3 21: Tue 20:59 anthrax.berkeley lindahl Ken Lindahl p5 7 Mon 09:26 batcave.Berkeley rob Rob Robertson p6 Mon 11:42 gangrene.berkele gopher Gopher Manager p8 5:17 Mon 10:15 wcw2.Berkeley.ED From rob@gangrene.berkeley.edu Mon Jan 10 18:07:59 1994 Received: from gangrene.Berkeley.EDU by fido.wps.com (5.67/wps.com-hackery) id AA00595; Mon, 10 Jan 94 18:07:57 -0800 Received: from localhost.Berkeley.EDU by gangrene.berkeley.edu (8.6.4/1.33) id SAA07526; Mon, 10 Jan 1994 18:08:14 -0800 Message-Id: <199401110208.SAA07526@gangrene.berkeley.edu> To: tomj@wps.com (Tom Jennings) Subject: Re: battles.hip In-Reply-To: Your message of "Mon, 10 Jan 1994 18:01:54 PST." <9401110201.AA00522@wps.com> Date: Mon, 10 Jan 1994 18:08:13 -0800 From: Rob Robertson Status: OR the rsh as `bin' bit was a break in attempt. least wayz in my book, cuz on sun's /etc is owned by `bin'. if there is a /etc/host.equiv with a + in it (as shipped by sun), one rsh's in moves out the password file, and creates a new one. and rsh isn't something that gets logged normally. i'll turn the account on in a bit. thanks, rob