[comp.misc] Troubling phone calls

raoul@eplunix.UUCP (Nico Garcia) (01/31/91)

Reply To: comp.dcom.modems

Checking our dialup lines for security problems, I've noticed that *someone*
keeps calling us as uucp, something like 40 times a day.  We haven't been a
uucp site for 3 years, at least, probably longer, and the old password is
locked on our machine. The entries for half a day are shown below. Should I
ignore this, or set some kind of trap, or call the phone company and have
them trace the line, or what?

uucp      ttyd2                     Wed Jan 30 23:41 - 23:41  (00:00)
uucp      ttyd2                     Wed Jan 30 23:16 - 23:16  (00:00)
uucp      ttyd2                     Wed Jan 30 23:03 - 23:03  (00:00)
uucp      ttyd2                     Wed Jan 30 21:55 - 21:55  (00:00)
uucp      ttyd2                     Wed Jan 30 21:12 - 21:12  (00:00)
uucp      ttyd2                     Wed Jan 30 21:11 - 21:11  (00:00)
uucp      ttyd2                     Wed Jan 30 20:11 - 20:11  (00:00)
uucp      ttyd2                     Wed Jan 30 19:45 - 19:46  (00:00)
uucp      ttyd2                     Wed Jan 30 19:24 - 19:24  (00:00)
uucp      ttyd2                     Wed Jan 30 19:12 - 19:13  (00:00)
uucp      ttyd2                     Wed Jan 30 18:13 - 18:13  (00:00)
uucp      ttyd2                     Wed Jan 30 18:12 - 18:12  (00:00)
uucp      ttyd2                     Wed Jan 30 17:16 - 17:16  (00:00)
uucp      ttyd2                     Wed Jan 30 17:13 - 17:13  (00:00)
uucp      ttyd2                     Wed Jan 30 15:57 - 15:57  (00:00)
uucp      ttyd2                     Wed Jan 30 15:22 - 15:22  (00:00)
uucp      ttyd2                     Wed Jan 30 15:05 - 15:05  (00:00)
uucp      ttyd2                     Wed Jan 30 14:17 - 14:18  (00:00)
uucp      ttyd2                     Wed Jan 30 13:41 - 13:41  (00:00)
uucp      ttyd2                     Wed Jan 30 13:12 - 13:13  (00:00)
uucp      ttyd2                     Wed Jan 30 12:52 - 12:53  (00:00)
-- 
			Nico Garcia
			Designs by Geniuses for use by Idiots
			eplunix!cirl!raoul@eddie.mit.edu

fitz@wang.com (Tom Fitzgerald) (02/06/91)

> Checking our dialup lines for security problems, I've noticed that *someone*
> keeps calling us as uucp, something like 40 times a day.  We haven't been a
> uucp site for 3 years, at least, probably longer, and the old password is
> locked on our machine.

When you were a UUCP site, did you have different logins for each neighbor,
or the same login for all neighbors?  If the latter, you're screwed.  If
the former, you can watch for a "login <name>" process to be exec'd by
getty when the machine tries to get in.  The login process will last until
uucico (or login) times out.

I suppose you could try calling all your old neighbors, if you can remember
them, to find out if you're still in their Systems file.

---
Tom Fitzgerald   Wang Labs        fitz@wang.com
1-508-967-5278   Lowell MA, USA   ...!uunet!wang!fitz

wolfgang@wsrcc.com (Wolfgang S. Rupprecht) (02/08/91)

> Checking our dialup lines for security problems, I've noticed that *someone*
> keeps calling us as uucp, something like 40 times a day.  We haven't been a
> uucp site for 3 years, at least, probably longer, and the old password is
> locked on our machine.

Why not put the uucp's back for a day or two.  Just don't give them
any permission for reading/writing or executing anything.  Then check
the log files and see who it was.

-wolfgang
-- 
Wolfgang Rupprecht    wolfgang@wsrcc.com (or) uunet!wsrcc!wolfgang
Snail Mail Address:   Box 6524, Alexandria, VA 22306-0524

brando@uicsl.csl.uiuc.edu (Brandon Brown) (02/08/91)

wolfgang@wsrcc.com (Wolfgang S. Rupprecht) writes:

>> Checking our dialup lines for security problems, I've noticed that *someone*
>> keeps calling us as uucp, something like 40 times a day.  We haven't been a
>> uucp site for 3 years, at least, probably longer, and the old password is
>> locked on our machine.

>Why not put the uucp's back for a day or two.  Just don't give them
>any permission for reading/writing or executing anything.  Then check
>the log files and see who it was.

Also, I wouldn't pound the people too hard when you find out. Chances are,
if they are not charged for local calls, and the administrator is a "passive"
one, they could have restored an old backup and accidentally overwritten
the /usr/lib/uucp files. I have done it before....Problem is we DO get charge
for local calls, so after $100 was wasted....I learned the hard way!

+-----------------------------------------------------------------------------+
|  Brandon Brown                     | Internet: brando@uicsl.csl.uiuc.edu    |
|  Coordinated Science Laboratory    | UUCP:	 uiucuxc!addamax!brando!brown |
|  University of Illinois            | CompuServe: 73040,447                  |
|  Urbana, IL  61801                 | GEnie:    xmg23356, macbrando          |
+-----------------------------------------------------------------------------+

craig@attcan.UUCP (Craig Campbell) (02/09/91)

In article <b0efha.ba2@wang.com> fitz@wang.com (Tom Fitzgerald) writes:
>> Checking our dialup lines for security problems, I've noticed that *someone*
>> keeps calling us as uucp, something like 40 times a day.  We haven't been a
>> uucp site for 3 years, at least, probably longer, and the old password is
>> locked on our machine.

>When you were a UUCP site, did you have different logins for each neighbor,
>or the same login for all neighbors?  If the latter, you're screwed.  If
>the former, you can watch for a "login <name>" process to be exec'd by
>getty when the machine tries to get in.  The login process will last until
>uucico (or login) times out.

>I suppose you could try calling all your old neighbors, if you can remember
>them, to find out if you're still in their Systems file.

>---
>Tom Fitzgerald   Wang Labs        fitz@wang.com
>1-508-967-5278   Lowell MA, USA   ...!uunet!wang!fitz


Given the context of your posting, I will assume that you mean someone is 
trying to log in as nuucp.  (uucp is a valid login for a shell prompt.  If
someone is REALLY trying to log in as uucp, then you are experiencing an
attempt by someone to 'crack' your system.  At 40 calls a day, most likely an
automated attempt.)

If you are comfortable with the uucp setup, then why not open the nuucp account
and set the valid commands to an empty set.  Therefore, you should be able to
get a log file entry of the attempted communication, plus the calling machine's
identification.

Please, let me know how this turns out,

craig

P.S.  If this turns out to be a security problem, on some systems there is a 
     "dialup" password option that requires selected external connections
     to enter another dialup password.  If you want more info, I can provide
     same.

c.e.c.

clewis@ferret.ocunix.on.ca (Chris Lewis) (02/09/91)

In article <b0efha.ba2@wang.com> fitz@wang.com (Tom Fitzgerald) writes:
>> Checking our dialup lines for security problems, I've noticed that *someone*
>> keeps calling us as uucp, something like 40 times a day.  We haven't been a
>> uucp site for 3 years, at least, probably longer, and the old password is
>> locked on our machine.

>When you were a UUCP site, did you have different logins for each neighbor,
>or the same login for all neighbors?  If the latter, you're screwed.  If
>the former, you can watch for a "login <name>" process to be exec'd by
>getty when the machine tries to get in.  The login process will last until
>uucico (or login) times out.

Easier than that.  Even if they call you as "uucp".  Reenable your
uucp logins.  If you're a USERFILE uucp, replace the contents of USERFILE
with:

	, /tmp/thisisanimpossibleplace
	, /tmp/thisisanimpossibleplace

(some uucico's had a bug in that the last entry had to be duplicated
to work).  If an HDB site, replace the Permissions file with something
like (check your docs to make sure):

	LOGNAME=OTHER MACHINE=OTHER READ=/tmp/thisisanimpossibleplace \
	WRITE=/tmp/thisisanimpossibleplace SEND=no RECEIVE=no

And then move /usr/lib/uucp/uuxqt to somewhere else.

Then wait.  Your logs will fill with connections from the rogue dialer,
with the UUCP node name in the log file.  The rogue dialer won't be able to
do anything because you've explicitly prevented them from getting anywhere
that would be a problem (they won't know its name anyhow), and they couldn't
possibly execute anything either.  So, anything they attempt to do will be
met with permission denied or missing uuxqt.

Using the node name you get, you may be able to figure out where
it's coming from.  Chances are it's one of your neighbors that didn't
bother removing you from their sys file, and something ended up
enqueued to you.
-- 
Chris Lewis, Phone: (613) 832-0541, Internet: clewis@ferret.ocunix.on.ca
UUCP: uunet!mitel!cunews!latour!ecicrl!clewis
Moderator of the Ferret Mailing List (ferret-request@eci386)
Psroff enquiries: psroff-request@eci386, current patchlevel is *7*.

dce@smsc.sony.com (David Elliott) (02/14/91)

In article <13649@vpk3.UUCP>, craig@attcan.UUCP (Craig Campbell) writes:
|> Given the context of your posting, I will assume that you mean someone is 
|> trying to log in as nuucp.  (uucp is a valid login for a shell prompt.  If
|> someone is REALLY trying to log in as uucp, then you are experiencing an
|> attempt by someone to 'crack' your system.  At 40 calls a day, most likely an
|> automated attempt.)

The important context got lost here.

The original posting showed a listing from the "last" command
indicating that someone was logging in as uucp, when he was saying that
the uucp account was disabled.

From what I saw, it wasn't that someone was "trying" to log in, but
that someone *was* logging in.  This indicates (to me) that there is an
account with the same uid as uucp with a valid password, and that this
was still working.

I tried to reply to the original poster, but the mail bounced so I
ignored the problem.

--
...David Elliott
...dce@smsc.sony.com | ...!{uunet,mips}!sonyusa!dce
...(408)944-4073
..."His lower lip waved poutily with defiance..."