OMOND@EMBL.BITNET (Roy Omond) (07/31/87)
Fellow System Managers,
take heed of the following saga.
Well, the well known patch to SECURESHR.EXE took a *long* time in coming
to Europe. In fact, it took me several days to convince the local DEC
people that there was a security loophole in VMS 4.5 ... *sigh*.
Anyway, in the meantime, we got screwed around by German hackers
(probably from the notorious Chaos Computer Club in Hamburg). Before I
had the chance to install the patch, "they" managed to get in and did
pretty well at covering their tracks. They patched two images, SHOW.EXE
and LOGINOUT.EXE, so that a) they could login to *any* account with a certain
password, which I'll not divulge, b) SYS$GW_IJOBCNT was decremented and
c) that process would not show up in SHOW USERS. They have cost us a lot of
real money by using our X.25 connection to login to several places all round
the globe. I have done my best to notify per PSImail those VAX sites that
were accessed from our hacked system. I pray (and pray and pray ...) that
no other damage has been done, and that I'm not sitting on a time bomb.
Anyway, the following information might help others to check if they have
been tampered with:
Use CHECKSUM to perform a checksum of LOGINOUT.EXE and SHOW.EXE as follows:
$ Check Sys$System:Loginout.Exe
$ Show Symbol Checksum$Checksum
if you get the value 3490940838 then you're in trouble.
$ Check Sys$System:Show.Exe
if you get 1598142435, then again you're in trouble.
Now something I'm a bit unsure about whether I should publicise :
Two persons with known connections with the Chaos Computer Club in Hamburg
who I know have distributed the patches mentioned above (and in my opinion
are to be considered along with the lowest dregs of society) I will name
here :
Claus Traenkner (at our own outstation of the EMBL in Hamburg)
and Stefan Weirauch (at the Univ. of Karlsruhe)
in the hope that someone somewhere will a) be saved some hassle from them
and b) might perform physical violence on them.
Jeez, I'm scared ...
Roy Omond
System Manager etc.
European Molecular Biology Laboratory,
Heidelberg, West Germany.u3369429@murdu.OZ (Michael Bednarek) (08/04/87)
In article <8708030937.AA27261@ucbvax.Berkeley.EDU> OMOND@EMBL.BITNET (Roy Omond) writes: >Fellow System Managers, >take heed of the following saga. >[ ... ] >Two persons with known connections with the Chaos Computer Club in Hamburg >who I know have distributed the patches mentioned above (and in my opinion >are to be considered along with the lowest dregs of society) I will name >here : > > Claus Traenkner (at our own outstation of the EMBL in Hamburg) >and Stefan Weirauch (at the Univ. of Karlsruhe) I knew I had seen this name before, and (using rn) the command ?weirauch?ra showed article <8707221338.AA29452@ucbvax.Berkeley.EDU> which is a patch to PHONE. The date was 21-Jul-1987. In the light of Roy's experience you might want to examine the nature of that patch. Michael Bednarek u3369429@{murdu.oz.au | ucsvc.dn.mu.oz.au} Institute of Applied Economic ...{UUNET.UU.NET | seismo.CSS.GOV}!munnari! and Social Research (IAESR) {murdu.oz | ucsvc.dn.mu.oz}!u3369429 Melbourne University mb@munnari.oz.au Parkville 3052, Phone : +61 3 344 5744 AUSTRALIA "POST NO BILLS."
MCMAHON@GRIN1.BITNET ("McMahon,Brian D") (08/05/87)
Greetings all.
No, I don't have more bad news about aftershocks from the EMBL security
violation to report, just this: Given the serious nature of the problem
described by Roy Omond in his recent messages, I took the liberty of
forwarding them along with Michael Bednarek's warning about the Weirauch
PHONE patch to SECURITY@RED.RUTGERS.EDU - just in case. If the original
senders had already done so, my apologies.
Being slightly paranoid by nature, I have a feeling this may not be the end
of the affair. So, if (let's all hope not) anything else comes up, might I
suggest that you post it to the security list as well as to info-vax.
Thanks.
Brian McMahon <MCMAHON@GRIN1.BITNET>
Grinnell College Box 9-28
Grinnell, IA 50112
Disclaimer: "I know noth-ing, Herr Kommandant."WEIRAUCH%iravcl@germany.CSNET ("Stefan Weirauch, IRA, Uni Karlsruhe") (08/29/87)
About two weeks ago I already sent the following message to the Info-Vax- and Secutiy-List. Due to unknown reasons, it was not distributed (at least, did not find the way back to our site). Well, now, with an undesired delay, here are my... [Start of original message] ...Remarks on the messages from Roy Omond (31-Jul) and Michael Bednarek (4-Aug), both sent to Info-Vax and forwarded to Security. Just back from my summer holidays I have to notice some very strange statements in connection with my name. Roy Omond wrote: > Now something I'm a bit unsure about whether I should publicise : > He better should have given it more thought... > Two persons with known connections with the Chaos Computer Club in Hamburg > who I know have distributed the patches mentioned above (and in my opinion > are to be considered along with the lowest dregs of society) I will name ======================= This is, in fact, a primitve insult, based on nothing but speculations. > here : > > Claus Traenkner (at our own outstation of the EMBL in Hamburg) > and Stefan Weirauch (at the Univ. of Karlsruhe) > > in the hope that someone somewhere will a) be saved some hassle from them > and b) might perform physical violence on them. ========================= Well, just an instigation to perform violance. To build an opinion about this way of writing a public message is left to the reader. However, as System/Security Manager I know very well those problems with hackers (see below). In case of detecting such a penetrator, I grab him and take further steps personally. At my site no personal mail relative to those topics in Roy Omonds message reached me. May be, that is not astonishing in the light of a message, which is based on some vague informations. Michael Bednarek wrote: > I knew I had seen this name before, and (using rn) the command ?weirauch?ra > showed article <8707221338.AA29452@ucbvax.Berkeley.EDU> which is a patch > to PHONE. The date was 21-Jul-1987. > > In the light of Roy's experience you might want to examine the nature of that > patch. Well, this comment fully deserves my agreement, because you will see, how well written the Phone Patch is (of course, I mean the second, bugfixed version). But, does it make sense, to examine software, distributed over the net, only if there is someone, railing at the creator ? I think, you allways should very carefully examing such software, performing modifications of the operating system. If your are not able to do this, for example, because you have no micro-fiches, it is reasonable to wait for such modifications from DEC. I did not add such a hint to my PHONEPAT - description, because I suppose, we all think that way. As I mentioned in my PHONEPAT message, there are many clever student users at our site, detecting bugs or undocumented features in VMS. I spend a lot of time in preventing them from successfully attacking the system. To do this efficiently I made my thoughts about the things a hacker might perform. Thus, I learned much, and hacked patches to parts of the system as a problem of system security (again affecting my nerves and time) are old for me; if they are new to you, dont accuse those people, making their experiences with these aspects of security, but learn from them and be thankful ! Stefan Weirauch CSNET: WEIRAUCH%iravcl@germany.csnet Informatik-Rechner-Abteilung UUCP: WEIRAUCH%iravcl%uka.uucp@unido.uucp Universitaet Karlsruhe PSI: PSI%026245721042100::WEIRAUCH D-7500 Karlsruhe 1 West Germany