OMOND@EMBL.BITNET (Roy Omond) (08/04/87)
Fellow System Managers, the hacker saga doth continue ... Further to my "important message" of last week, I have since discovered that the patches done to LOGINOUT.EXE were even more lethal than I had imagined. Not only would it allow entry to any username with the magic password, but it would also store (in 1's complement form) the valid password of all users logging in since the patch was installed in the 12 bytes "reserved for customer use" in the UAF. How many system managers ever even look at these bytes, never mind spot the danger there ? Well, they also distributed a small vanilla program to decypher these bytes and, lo and behold, a list of username/password pairs with accounts with (potentially) all privileges neatly marked with an asterisk. So everyone who even suspects that something might be amiss, look very closely at your UAF. Look in particular at the 12 bytes from offset 1f6 (hex) in each record. If you reverse the 1's complement on these bytes and get something that looks like a password then ... :-( (Users with passwords longer than 12 characters or those with 2 passwords (like me) are relatively ok). Yet another hacker name to surface is user DKL at Bitnet/EARN node DHDMPI5 (the Max-Planck Institute for Atomic Physics, our neighbouring institute in Heidelberg). I don't know who the person is, but I hope that he/she is condemned to working with IBM MVS for evermore. Roy Omond System Manager etc. European Molecular Biology Laboratory, Heidelberg, West Germany.