UC Berkeley Sniffing incident

[David Farber <farber () central cis upenn edu>]

> Date: Fri, 7 Jan 94 14:43:20 -0500
> Posted-Date: Fri, 7 Jan 94 14:43:20 -0500
> To: uugp () isc upenn edu
> From: millar () pobox upenn edu (Dave Millar)
> Subject: UC Berkeley Sniffing incident
> Cc: curtis () pobox upenn edu
>
> UC Berkeley had an incident on New Years day where someone installed a
> "sniffer" on their machine without their knowledge.  Two connections from
> Penn were logged (one from the terminal server, and another from a campus
> host), and administrators on those hosts were notified.
>
> Basically, what these programs do is monitor any connections (telnet,
> rlogin) on the subnet that the Berkeley machine was attached to, and
> capture ids and passwords.  Anyone who used telnet, rlogin, ftp, or any
> other internet services at Berkeley on 1/1/94 should minimally change their
> password, and should probably look at the security on their host as well
> since often, hackers will use the accounts and passwords that they obtain
> to install the same programs on subsequent hosts.
>
> If you choose to  check your binaries, note that the Berkeley hackers
> modified checksums and "last modified" dates.  To be certain your binaries
> are unchanged, you need to either do a binary comparison or do the System V
> sum command.  The altered binaries at Berkeley were /usr/bin/ps and
> /usr/etc/in.telnetd.
>
> Dave
>
> > From: kazdan () math upenn edu
> > Posted-Date: Tue, 4 Jan 94 15:33:52 EST
> > Subject: passwords & Jan 1st UC Berkeley Network Security Incident (fwd)
> > To: millar () pobox upenn edu
> > Date: Tue, 4 Jan 94 15:33:52 EST
> > Cc: ira () cis upenn edu (Ira Winston)
> > Reply-To: Jerry L. Kazdan <kazdan () math upenn edu>
> > X-Mailer: ELM [version 2.3 PL11-upenn1.12]
> >
> >        For your information.  Last weekend crackers broke into the UC
> > Berkeley network (see below). Apparently they were monitoring for
> > passwords in rlogin and telnet sessions.
> >        Jerry Kazdan
> >                --------------------------------------
> > > Around 9 PM, January 1st, we discovered an IST machine had been
> > > compromised by a cracker.  The cracker had installed an network
> > > sniffing application, which recorded the first lines of all telnet,
> > > rlogin, and ftp connections, logging them for passwords.
> >
> > > The application had apparently been running since 7 that morning, and
> > > had been monitoring the 128.32.155 and 128.32.136 subnets.
> > >
> > > The cracker modified /usr/bin/ps and /usr/etc/in.telnetd.  The dates
> > > were changed on the programs, and checksums modified, so they looked
> > > almost indistinguishable from the original programs.  The ps(1)
> > > program was modified to not list the network sniffing application, and
> > > in.telnetd(8) was modified to allow a backdoor.  The way to
> > > distinguish the modified programs from the originals, is either to do
> > > a binary comparison, or use the System V sum command, /usr/5bin/sum.
> >
> > > We have since secured the machine, and notified the Computer Emergency
> >
> > > Response Team (CERT).
> >
> > > Your site was listed in the logs.
> > >
> > > Below is a list of usernames and machines from that log which are at
> > > your site.  Please do not consider this an exhaustive list, as more
> > > passwords could have been compromised.  We advise you at the minimum
> > > to change the passwords for those accounts and check the integrity of
> > > your system.
> > >
> > > ...
> > >
> > > william robertson
> > > Data Comunnication & Networking Services
> > > University of California Berkeley
> > > rob () agate berkeley edu
> > > 510/643-9837
> Dave Millar
> University Information Security Officer
> University of Pennsylvania
> millar () pobox upenn edu
> (215) 898-2172