DHASKIN@CLARKU.BITNET.UUCP (04/02/87)
Hi gang -
Here's an interesting one; as usual, we occasionally get people trying to guess
other people's passwords and gain access to their accounts, which in general we
don't like but like even less when the account they're trying to crash is owned
by a senior administrative member (a VP or Provost, for example).
When this happens we peruse the operator log file and can often identify by
inspection which person was most likely responsible -- we've been fairly
successful in the past. However, take a look at the message (names have been
changed):
%%%%%%%%%%% OPCOM 30-MAR-1987 17:02:16.99 %%%%%%%%%%%
Security alarm on OLLIE / Local interactive breakin detection
Time: 30-MAR-1987 17:02:16.83
PID: 20200239
User Name: SWEAVER
Password: GATEKEEPER
Dev Name: _LTA393:
We have a program to identify the actual physical server and port to which a
LAT device is attached for a currently existing LAT terminal, but no way to go
back and find out where LTA393: after LTA393: has returned to the ether.
Has anyone had to deal with this problem? What steps did you take? I can
think of a couple -- can one modify the OPCOM message to include this ancillary
information (or will DEC maybe do this? Hello?)? Or do you log LAT terminal
names and physical info to a file when they're created? Any other
alternatives?
This information is not crucial (as I said, we are generally able to identify
suspects) but would make the process much easier.
Any ideas?
aTdHvAaNnKcSe,
% Denis W. Haskin Manager, Technical Services %
% ----------------------------------------------------------------------- %
% DHASKIN@CLARKU.BITNET Office of Information Systems (617)793-7193 %
% Clark University 950 Main Street Worcester MA 01610 %
% %
% "Anyone who _moves_ before Most Holy comes back out will spend the rest %
% of eternity sipping lava through an iron straw." - Cerebus %