Interesting People mailing list archives
UC Berkeley Sniffing incident
From: David Farber <farber () central cis upenn edu>
Date: Sat, 8 Jan 1994 09:12:33 -0800
Date: Fri, 7 Jan 94 14:43:20 -0500 Posted-Date: Fri, 7 Jan 94 14:43:20 -0500 To: uugp () isc upenn edu From: millar () pobox upenn edu (Dave Millar) Subject: UC Berkeley Sniffing incident Cc: curtis () pobox upenn edu UC Berkeley had an incident on New Years day where someone installed a "sniffer" on their machine without their knowledge. Two connections from Penn were logged (one from the terminal server, and another from a campus host), and administrators on those hosts were notified. Basically, what these programs do is monitor any connections (telnet, rlogin) on the subnet that the Berkeley machine was attached to, and capture ids and passwords. Anyone who used telnet, rlogin, ftp, or any other internet services at Berkeley on 1/1/94 should minimally change their password, and should probably look at the security on their host as well since often, hackers will use the accounts and passwords that they obtain to install the same programs on subsequent hosts. If you choose to check your binaries, note that the Berkeley hackers modified checksums and "last modified" dates. To be certain your binaries are unchanged, you need to either do a binary comparison or do the System V sum command. The altered binaries at Berkeley were /usr/bin/ps and /usr/etc/in.telnetd. DaveFrom: kazdan () math upenn edu Posted-Date: Tue, 4 Jan 94 15:33:52 EST Subject: passwords & Jan 1st UC Berkeley Network Security Incident (fwd) To: millar () pobox upenn edu Date: Tue, 4 Jan 94 15:33:52 EST Cc: ira () cis upenn edu (Ira Winston) Reply-To: Jerry L. Kazdan <kazdan () math upenn edu> X-Mailer: ELM [version 2.3 PL11-upenn1.12] For your information. Last weekend crackers broke into the UC Berkeley network (see below). Apparently they were monitoring for passwords in rlogin and telnet sessions. Jerry Kazdan --------------------------------------Around 9 PM, January 1st, we discovered an IST machine had been compromised by a cracker. The cracker had installed an network sniffing application, which recorded the first lines of all telnet, rlogin, and ftp connections, logging them for passwords.The application had apparently been running since 7 that morning, and had been monitoring the 128.32.155 and 128.32.136 subnets. The cracker modified /usr/bin/ps and /usr/etc/in.telnetd. The dates were changed on the programs, and checksums modified, so they looked almost indistinguishable from the original programs. The ps(1) program was modified to not list the network sniffing application, and in.telnetd(8) was modified to allow a backdoor. The way to distinguish the modified programs from the originals, is either to do a binary comparison, or use the System V sum command, /usr/5bin/sum.We have since secured the machine, and notified the Computer EmergencyResponse Team (CERT).Your site was listed in the logs. Below is a list of usernames and machines from that log which are at your site. Please do not consider this an exhaustive list, as more passwords could have been compromised. We advise you at the minimum to change the passwords for those accounts and check the integrity of your system. ... william robertson Data Comunnication & Networking Services University of California Berkeley rob () agate berkeley edu 510/643-9837Dave Millar University Information Security Officer University of Pennsylvania millar () pobox upenn edu (215) 898-2172
Current thread:
- UC Berkeley Sniffing incident David Farber (Jan 08)