raoul@eplunix.UUCP (Nico Garcia) (01/31/91)
Reply To: comp.dcom.modems Checking our dialup lines for security problems, I've noticed that *someone* keeps calling us as uucp, something like 40 times a day. We haven't been a uucp site for 3 years, at least, probably longer, and the old password is locked on our machine. The entries for half a day are shown below. Should I ignore this, or set some kind of trap, or call the phone company and have them trace the line, or what? uucp ttyd2 Wed Jan 30 23:41 - 23:41 (00:00) uucp ttyd2 Wed Jan 30 23:16 - 23:16 (00:00) uucp ttyd2 Wed Jan 30 23:03 - 23:03 (00:00) uucp ttyd2 Wed Jan 30 21:55 - 21:55 (00:00) uucp ttyd2 Wed Jan 30 21:12 - 21:12 (00:00) uucp ttyd2 Wed Jan 30 21:11 - 21:11 (00:00) uucp ttyd2 Wed Jan 30 20:11 - 20:11 (00:00) uucp ttyd2 Wed Jan 30 19:45 - 19:46 (00:00) uucp ttyd2 Wed Jan 30 19:24 - 19:24 (00:00) uucp ttyd2 Wed Jan 30 19:12 - 19:13 (00:00) uucp ttyd2 Wed Jan 30 18:13 - 18:13 (00:00) uucp ttyd2 Wed Jan 30 18:12 - 18:12 (00:00) uucp ttyd2 Wed Jan 30 17:16 - 17:16 (00:00) uucp ttyd2 Wed Jan 30 17:13 - 17:13 (00:00) uucp ttyd2 Wed Jan 30 15:57 - 15:57 (00:00) uucp ttyd2 Wed Jan 30 15:22 - 15:22 (00:00) uucp ttyd2 Wed Jan 30 15:05 - 15:05 (00:00) uucp ttyd2 Wed Jan 30 14:17 - 14:18 (00:00) uucp ttyd2 Wed Jan 30 13:41 - 13:41 (00:00) uucp ttyd2 Wed Jan 30 13:12 - 13:13 (00:00) uucp ttyd2 Wed Jan 30 12:52 - 12:53 (00:00) -- Nico Garcia Designs by Geniuses for use by Idiots eplunix!cirl!raoul@eddie.mit.edu
fitz@wang.com (Tom Fitzgerald) (02/06/91)
> Checking our dialup lines for security problems, I've noticed that *someone* > keeps calling us as uucp, something like 40 times a day. We haven't been a > uucp site for 3 years, at least, probably longer, and the old password is > locked on our machine. When you were a UUCP site, did you have different logins for each neighbor, or the same login for all neighbors? If the latter, you're screwed. If the former, you can watch for a "login <name>" process to be exec'd by getty when the machine tries to get in. The login process will last until uucico (or login) times out. I suppose you could try calling all your old neighbors, if you can remember them, to find out if you're still in their Systems file. --- Tom Fitzgerald Wang Labs fitz@wang.com 1-508-967-5278 Lowell MA, USA ...!uunet!wang!fitz
wolfgang@wsrcc.com (Wolfgang S. Rupprecht) (02/08/91)
> Checking our dialup lines for security problems, I've noticed that *someone* > keeps calling us as uucp, something like 40 times a day. We haven't been a > uucp site for 3 years, at least, probably longer, and the old password is > locked on our machine. Why not put the uucp's back for a day or two. Just don't give them any permission for reading/writing or executing anything. Then check the log files and see who it was. -wolfgang -- Wolfgang Rupprecht wolfgang@wsrcc.com (or) uunet!wsrcc!wolfgang Snail Mail Address: Box 6524, Alexandria, VA 22306-0524
brando@uicsl.csl.uiuc.edu (Brandon Brown) (02/08/91)
wolfgang@wsrcc.com (Wolfgang S. Rupprecht) writes: >> Checking our dialup lines for security problems, I've noticed that *someone* >> keeps calling us as uucp, something like 40 times a day. We haven't been a >> uucp site for 3 years, at least, probably longer, and the old password is >> locked on our machine. >Why not put the uucp's back for a day or two. Just don't give them >any permission for reading/writing or executing anything. Then check >the log files and see who it was. Also, I wouldn't pound the people too hard when you find out. Chances are, if they are not charged for local calls, and the administrator is a "passive" one, they could have restored an old backup and accidentally overwritten the /usr/lib/uucp files. I have done it before....Problem is we DO get charge for local calls, so after $100 was wasted....I learned the hard way! +-----------------------------------------------------------------------------+ | Brandon Brown | Internet: brando@uicsl.csl.uiuc.edu | | Coordinated Science Laboratory | UUCP: uiucuxc!addamax!brando!brown | | University of Illinois | CompuServe: 73040,447 | | Urbana, IL 61801 | GEnie: xmg23356, macbrando | +-----------------------------------------------------------------------------+
craig@attcan.UUCP (Craig Campbell) (02/09/91)
In article <b0efha.ba2@wang.com> fitz@wang.com (Tom Fitzgerald) writes: >> Checking our dialup lines for security problems, I've noticed that *someone* >> keeps calling us as uucp, something like 40 times a day. We haven't been a >> uucp site for 3 years, at least, probably longer, and the old password is >> locked on our machine. >When you were a UUCP site, did you have different logins for each neighbor, >or the same login for all neighbors? If the latter, you're screwed. If >the former, you can watch for a "login <name>" process to be exec'd by >getty when the machine tries to get in. The login process will last until >uucico (or login) times out. >I suppose you could try calling all your old neighbors, if you can remember >them, to find out if you're still in their Systems file. >--- >Tom Fitzgerald Wang Labs fitz@wang.com >1-508-967-5278 Lowell MA, USA ...!uunet!wang!fitz Given the context of your posting, I will assume that you mean someone is trying to log in as nuucp. (uucp is a valid login for a shell prompt. If someone is REALLY trying to log in as uucp, then you are experiencing an attempt by someone to 'crack' your system. At 40 calls a day, most likely an automated attempt.) If you are comfortable with the uucp setup, then why not open the nuucp account and set the valid commands to an empty set. Therefore, you should be able to get a log file entry of the attempted communication, plus the calling machine's identification. Please, let me know how this turns out, craig P.S. If this turns out to be a security problem, on some systems there is a "dialup" password option that requires selected external connections to enter another dialup password. If you want more info, I can provide same. c.e.c.
clewis@ferret.ocunix.on.ca (Chris Lewis) (02/09/91)
In article <b0efha.ba2@wang.com> fitz@wang.com (Tom Fitzgerald) writes: >> Checking our dialup lines for security problems, I've noticed that *someone* >> keeps calling us as uucp, something like 40 times a day. We haven't been a >> uucp site for 3 years, at least, probably longer, and the old password is >> locked on our machine. >When you were a UUCP site, did you have different logins for each neighbor, >or the same login for all neighbors? If the latter, you're screwed. If >the former, you can watch for a "login <name>" process to be exec'd by >getty when the machine tries to get in. The login process will last until >uucico (or login) times out. Easier than that. Even if they call you as "uucp". Reenable your uucp logins. If you're a USERFILE uucp, replace the contents of USERFILE with: , /tmp/thisisanimpossibleplace , /tmp/thisisanimpossibleplace (some uucico's had a bug in that the last entry had to be duplicated to work). If an HDB site, replace the Permissions file with something like (check your docs to make sure): LOGNAME=OTHER MACHINE=OTHER READ=/tmp/thisisanimpossibleplace \ WRITE=/tmp/thisisanimpossibleplace SEND=no RECEIVE=no And then move /usr/lib/uucp/uuxqt to somewhere else. Then wait. Your logs will fill with connections from the rogue dialer, with the UUCP node name in the log file. The rogue dialer won't be able to do anything because you've explicitly prevented them from getting anywhere that would be a problem (they won't know its name anyhow), and they couldn't possibly execute anything either. So, anything they attempt to do will be met with permission denied or missing uuxqt. Using the node name you get, you may be able to figure out where it's coming from. Chances are it's one of your neighbors that didn't bother removing you from their sys file, and something ended up enqueued to you. -- Chris Lewis, Phone: (613) 832-0541, Internet: clewis@ferret.ocunix.on.ca UUCP: uunet!mitel!cunews!latour!ecicrl!clewis Moderator of the Ferret Mailing List (ferret-request@eci386) Psroff enquiries: psroff-request@eci386, current patchlevel is *7*.
dce@smsc.sony.com (David Elliott) (02/14/91)
In article <13649@vpk3.UUCP>, craig@attcan.UUCP (Craig Campbell) writes: |> Given the context of your posting, I will assume that you mean someone is |> trying to log in as nuucp. (uucp is a valid login for a shell prompt. If |> someone is REALLY trying to log in as uucp, then you are experiencing an |> attempt by someone to 'crack' your system. At 40 calls a day, most likely an |> automated attempt.) The important context got lost here. The original posting showed a listing from the "last" command indicating that someone was logging in as uucp, when he was saying that the uucp account was disabled. From what I saw, it wasn't that someone was "trying" to log in, but that someone *was* logging in. This indicates (to me) that there is an account with the same uid as uucp with a valid password, and that this was still working. I tried to reply to the original poster, but the mail bounced so I ignored the problem. -- ...David Elliott ...dce@smsc.sony.com | ...!{uunet,mips}!sonyusa!dce ...(408)944-4073 ..."His lower lip waved poutily with defiance..."