[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cracked DEC machine




Actually, the cracker was found fairly soon after he got access, he
started working on other computers on campus.  We had a power outage on
Sunday and I'm pretty sure he did not crack our system until after that
power outage.  When I came in Monday morning, someone in a nearby lab had
unplugged the computer from the ethernet and left me the news that someone
was trying to break into his machine from our machine.  He cracked through
a hole in CDE and the tooltalk RPC service.  An advisory was put on CERT
in September, but I didn't see it.  Of course, DEC isn't even listed on
the warning.  Nice job DEC (or should I say Compaq).  There is a fix at
DEC/Compaq.  There are several other systems listed at:

www.cert.org/advisories/CA-98.11.tooltalk.htm

TED is also affected in the off chance anyone has that installed.

I'm still not sure how they got into the NetBSD machine.  I imagine it was
through sendmail or finger.  I was just playing around, but I should have
known better.  Maybe after my general exam I'll try again.  I suspect
these guys were interested putting eggbots everywhere as we had been
cracked 6 months ago and an eggbot placed on the system.  Another DEC
system had an eggbot on their system also this time around.

I guess I'll have to subscribe to comp.security.announce now.

Matt


On 4 Feb 1999, Unfurl wrote:

> On Thu, Feb 04, 1999 at 09:29:40AM -0800, M. Kokaly wrote:
> > I was actually thinking about this when I wasn't busy trying to figure out
> > how a cracker broke into our DEC Unix station -> What a pain that's been.
> > Unfortunately, I'm also trying to prepare for my general exam, when it
> > rains, it pours.  What a time for our system to get hacked.  
> 
> Ouch. Did you find the cracker by accident or by damage he created?
> 
> > Incidently,
> > I was playing with NetBSD on a Mac and just quickly installed it and put
> > it on the net without doing much, just playing around.  It was cracked by
> > the next morning.  Arrgh!  Anyway, my FreeBSD machine is currently off the
> > net as I double check all security on that and finally begin to use TCP 
> > wrappers.
> 
> How did they get into your NetBSD box? TCP wrappers are a really good
> idea. Even if you never expect to get attacked it is nice to have all of
> the logs available.
> 
> > P.S. The culprit on the DEC Unix appeared to be a bug in CDE.  Bye Bye
> > CDE.  There is a fix, but I hate CDE anyway.
> 
> Which bug was it? Do you know if it was DEC specific? 
> I hate CDE too. My desktop at work is a Sparc5 runninf Solaris. Luckily
> Windowmaker runs just fine on it :)
> 
> 
> -Bill
> 
> -- 
> unfurl@dub.net - This is a munition. Fight Back!
> #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
> $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
> lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
>