[comp.os.vms] **** Important Message

OMOND@EMBL.BITNET (Roy Omond) (08/04/87)

Fellow System Managers,

the hacker saga doth continue ...

Further to my "important message" of last week, I  have since discovered
that the patches done to LOGINOUT.EXE were even more lethal than I had
imagined.  Not only would it allow entry to any username with the magic
password, but it would also store (in 1's complement form) the valid
password of all users logging in since the patch was installed in the
12 bytes "reserved for customer use" in the UAF.  How many system managers
ever even look at these bytes, never mind spot the danger there ?

Well, they also distributed a small vanilla program to decypher these
bytes and, lo and behold, a list of username/password pairs with accounts
with (potentially) all privileges neatly marked with an asterisk.

So everyone who even suspects that something might be amiss, look very
closely at your UAF.  Look in particular at the 12 bytes from offset
1f6 (hex) in each record.  If you reverse the 1's complement on these
bytes and get something that looks like a password then ... :-(

(Users with passwords longer than 12 characters or those with 2 passwords
(like me) are relatively ok).

Yet another hacker name to surface is user DKL at Bitnet/EARN node
DHDMPI5 (the Max-Planck Institute for Atomic Physics, our neighbouring
institute in Heidelberg).  I don't know who the person is, but I hope
that he/she is condemned to working with IBM MVS for evermore.


Roy Omond
System Manager etc.
European Molecular Biology Laboratory,
Heidelberg, West Germany.