SYSMSH@ULKYVX.BITNET.UUCP (05/15/86)
Hi VAX fans!
After I got back from DECUS I found that a couple of students had written
a DCL command file which was a login faker. The students were looking for
write enabled directories and placing their DCL trap in the target's directory
as LOGIN.COM. When the target user logged on, they were usually fooled
into entering their user name and password again.
After stomping all over the perpetrators I decided to whip up a little fix.
As I got into it I got the feeling that this was a really sweet kludge.
I modified SYLOGIN.COM to include the following code and protected SYLOGIN
so that it was execute only. It detects if a user's LOGIN.COM is owned
by another user and does not run it if it is. In addition, it also sends
a mail message to me so I can check it out.
The perpetrators do not see any failures, the user isn't hijacked, and I
get notified quickly. Enjoy. (Stomp...Stomp)
$ if f$search("sys$login:login.com") .eqs. "" then goto no_user_login
$ lcuic=f$file_attributes("sys$login:login.com","UIC")
$ myuic=f$getjpi(0,"UIC")
$ if lcuic .eqs. myuic then goto its_ok
$ mail/subject="login.com security" nl:a.a sysmsh
$ goto no_user_login
$ its_ok:
$ @sys$login:login.com
$ no_user_login:
$ exit
Mark Hittinger/systems programmer iv/OCIS south center
University of Louisville/Louisville, Ky 40292
sysmsh%ulkyvx.bitnet@wiscvm.wisc.edu