From tomj@fnord.tlg.org Mon Mar  7 12:33:10 1994
Received: from tlg.org by fido.wps.com (5.67/wps.com-hackery)
	id AA01716; Mon, 7 Mar 94 12:33:08 -0800
Received: from localhost by fnord.tlg.org (8.3/wps.com-hackery)
	id MAA12582; Mon, 7 Mar 1994 12:29:11 -0800
Date: Mon, 7 Mar 1994 12:29:11 -0800
From: tomj@fnord.tlg.org (Tom Jennings)
Message-Id: <199403072029.MAA12582@tlg.org>
To: tomj@fnord.tlg.org, tomj@wps.com
Subject: %%%% tlg.org: DENY rshd from @x29.engin.umich.edu
Status: OR

 [x29.engin.umich.edu]
 Login       Name              TTY Idle    When    Where
 mgerard  Michael  Gerard      *p0 2:22 Mon 13:10  ioemac129           
 jaeho    Jaeho Lee             p1      Mon 11:12  sideshow.eecs.um    
 ylchen   yi liang chen        *p3 5:21 Mon 10:02  hme1.merit.edu      
 rbupp    robert  bupp          p5      Mon 13:27  :0.0                
 blg      brian lawrence graha  p7 1:39 Mon 13:52  rmm6.merit.edu      
 rbupp    robert  bupp          pc    2 Mon 15:05  :0.0                

From tomj@fnord.tlg.org Mon Mar 14 19:17:34 1994
Received: from tlg.org by fido.wps.com (5.67/wps.com-hackery)
	id AA01358; Mon, 14 Mar 94 19:17:32 -0800
Received: from localhost by fnord.tlg.org (8.3/wps.com-hackery)
	id TAA23401; Mon, 14 Mar 1994 19:14:42 -0800
Received: from localhost by fnord.tlg.org (8.3/wps.com-hackery)
	id MAA12582; Mon, 7 Mar 1994 12:29:11 -0800
Date: Mon, 7 Mar 1994 12:29:11 -0800
From: tomj@fnord.tlg.org (Tom Jennings)
Message-Id: <199403072029.MAA12582@tlg.org>
To: tomj@fnord.tlg.org, tomj@wps.com
Subject: %%%% tlg.org: DENY rshd from @x29.engin.umich.edu
Sender: tomj@fnord.tlg.org
Status: O

 [x29.engin.umich.edu]
 Login       Name              TTY Idle    When    Where
 mgerard  Michael  Gerard      *p0 2:22 Mon 13:10  ioemac129           
 jaeho    Jaeho Lee             p1      Mon 11:12  sideshow.eecs.um    
 ylchen   yi liang chen        *p3 5:21 Mon 10:02  hme1.merit.edu      
 rbupp    robert  bupp          p5      Mon 13:27  :0.0                
 blg      brian lawrence graha  p7 1:39 Mon 13:52  rmm6.merit.edu      
 rbupp    robert  bupp          pc    2 Mon 15:05  :0.0                


From tomj Mon Mar 14 19:32:27 1994
Received: by fido.wps.com (5.67/wps.com-hackery)
	id AA01457; Mon, 14 Mar 94 19:32:17 -0800
From: tomj (Tom Jennings)
Message-Id: <9403150332.AA01457@wps.com>
Subject: possible security problem...
To: Bryan@UMICH.EDU
Date: Mon, 14 Mar 1994 19:32:16 -0800 (PST)
Cc: tomj (Tom Jennings)
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1826      
Status: O

A user on one of your machines, x29.engin.umich.edu, attempted a
remote-shell against a site I admin here, tlg.org. I don't know
what the ocmmand tail was. My security wrapper and return-finger
caught a few names, included below.

rsh from remote, unauthorized sites is clearly a crude break-in
attempt.  Any light you could shed on this would be helpful... and
if there's anything I can do to help, just ask.

Follows are the results of my security; tcp wrapper with an immediate
reverse-finger. Note the zero-idle time users. I wrote to both
users, asking them what might have happened, and only rbupp answered,
saying he didn't even know what rsh was. (I explained to him the
problem and thanked him for replying. I was nice :-)



>From tomj@fnord.tlg.org Mon Mar  7 12:33:10 1994
Received: from tlg.org by fido.wps.com (5.67/wps.com-hackery)
	id AA01716; Mon, 7 Mar 94 12:33:08 -0800
Received: from localhost by fnord.tlg.org (8.3/wps.com-hackery)
	id MAA12582; Mon, 7 Mar 1994 12:29:11 -0800
Date: Mon, 7 Mar 1994 12:29:11 -0800
From: tomj@fnord.tlg.org (Tom Jennings)
Message-Id: <199403072029.MAA12582@tlg.org>
To: tomj@fnord.tlg.org, tomj@wps.com
Subject: %%%% tlg.org: DENY rshd from @x29.engin.umich.edu
Status: OR

 [x29.engin.umich.edu]
 Login       Name              TTY Idle    When    Where
 mgerard  Michael  Gerard      *p0 2:22 Mon 13:10  ioemac129           
 jaeho    Jaeho Lee             p1      Mon 11:12  sideshow.eecs.um    
 ylchen   yi liang chen        *p3 5:21 Mon 10:02  hme1.merit.edu      
 rbupp    robert  bupp          p5      Mon 13:27  :0.0                
 blg      brian lawrence graha  p7 1:39 Mon 13:52  rmm6.merit.edu      
 rbupp    robert  bupp          pc    2 Mon 15:05  :0.0                





-- 
 Tom Jennings -- tomj@wps.com -- World Power Systems --  San Francisco, Calif.

From paul@fivespot.engin.umich.edu Tue Mar 22 15:40:15 1994
Received: from fivespot.engin.umich.edu by fido.wps.com (5.67/wps.com-hackery)
	id AA14261; Tue, 22 Mar 94 15:40:12 -0800
Received: from localhost (localhost [127.0.0.1]) by fivespot.engin.umich.edu (8.6.4/8.6.4) with ESMTP id SAA09921; Tue, 22 Mar 1994 18:40:08 -0500
Message-Id: <199403222340.SAA09921@fivespot.engin.umich.edu>
To: tomj@wps.com (Tom Jennings)
Cc: bryan@notorious.rs.itd.umich.edu (Bryan Beecher)
Subject: Re: possible security problem... 
In-Reply-To: Your message of "Mon, 21 Mar 1994 10:14:34 PST."
             <9403211814.AA08774@wps.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Id: <9918.764379605.1@fivespot.engin.umich.edu>
Date: Tue, 22 Mar 1994 18:40:07 -0500
From: paul killey <paul@engin.umich.edu>
Status: OR

my guess is that whoever was rsh-ing against you had gotten to x29 with
something like 'rsh x29 sh -i' so that a finger back would not show
them.

quite honestly, we do not log rsh and are unable to track this back.

sorry.

none of the users on that machine were accounts known to be hacked or
logged in from known hacker locations.

our intent is to run some sort of wrapper for inetd this summer.

we have about 250 suns here and are always pretty constrained by
manpower, etc.

--paul

From tomj Tue Mar 22 19:32:55 1994
Received: by fido.wps.com (5.67/wps.com-hackery)
	id AA14853; Tue, 22 Mar 94 19:32:46 -0800
From: tomj (Tom Jennings)
Message-Id: <9403230332.AA14853@wps.com>
Subject: Re: possible security problem...
To: paul@engin.umich.edu (paul killey)
Date: Tue, 22 Mar 1994 19:32:45 -0800 (PST)
Cc: tomj@wps.com, bryan@notorious.rs.itd.umich.edu
In-Reply-To: <199403222340.SAA09921@fivespot.engin.umich.edu> from "paul killey" at Mar 22, 94 06:40:07 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 882       
Status: OR

> my guess is that whoever was rsh-ing against you had gotten to x29 with
> something like 'rsh x29 sh -i' so that a finger back would not show
> them.
> 
> quite honestly, we do not log rsh and are unable to track this back.
> 
> sorry.

Well if it were from user 'root' rshd should log it by itself, but
it doesn't log uid==0.  Too bad! Oh, not a great problem for me.
I was just following through. 

> our intent is to run some sort of wrapper for inetd this summer.

tcp_wrapper is great, and should be a drop-in. I simply disallow rsh,
rlogin etc from anywhere outside my own domain.

> we have about 250 suns here and are always pretty constrained by
> manpower, etc.

I can imagine! 


Well good luck, and thanks for the reply. No harm done here, like I said
I was just following up on it. 

-- 
 Tom Jennings -- tomj@wps.com -- World Power Systems --  San Francisco, Calif.