TENCATI@GPVAX.JPL.NASA.GOV (07/22/88)
Greetings, I have a question, and an appeal for developers of VMS TCP/IP products if no answer is possible. Is there a product, or a way under VMS to get the source address of a TCP/IP connection entered into the accounting files? As many of you probably read in the papers, we were hit by a hacker about a month ago. This penetration was accomplished over the Internet. Unlike our SPAN connection which is DECnet, we have no way of "tracing" a connection once it is broken, because the TCP/IP product we are running is not part of VMS, and therefore does not communicate with VMS' accounting package. Under DECnet, after an interactive user logs out, I have a record showing the remote node and remote userid associated with the connection. Under TCP/IP, unless I am diligent and run NETSTAT, I have no way of tracing the connection. All accounting shows is a login on terminal NTY1 or XXA1, but no information about the IP address of the source node. It seems to me that with a little cooperation between DEC and the vendors, that a simple addition to LOGINOUT.EXE and/or the TELNET server would cause this information to be recorded, provided accounting was enabled. The benefits of having this information should be self evident. Anybody have any constructive ideas on this subject? Regards, Ron Tencati Jet Propulsion Laboratory Pasadena, Ca. TENCATI@VLSI.JPL.NASA.GOV TENCATI@GPVAX.JPL.NASA.GOV
gkn@M5.SDSC.EDU (Gerard K. Newman) (07/24/88)
From: TENCATI@gpvax.JPL.NASA.GOV Subject: TCP/IP and VMS Date: Fri, 22 Jul 88 09:51:06 PDT Is there a product, or a way under VMS to get the source address of a TCP/IP connection entered into the accounting files? Ron: What I did here was to run a program in SYS$SYLOGIN which pops into kernel mode and plugs CTL$T_NODEADDR with the remote IP address of the connection. Handily, CTL$T_NODEADDR is a counted string (believe it or not), and can accomodate a 4 byte IP address instead of the usual 3 byte DECnet address. While I'm in kernel mode I also create the job-wide logical names SYS$REM_NODE and SYS$REM_ID. A small patch to ACC.EXE allows it to display IP addresses in hex (but it has the side effect of displaying DECnet addresses the same way). I run the SRI Multinet software here. I notice from your message header that you have the Excelan software; I can send you the code I use, but you'll have to change it somewhat to do whatever magic is necessary to fetch the IP address from an inbound terminal connection, as it is doubtless stored in a different place. Regards, gkn ---------------------------------------- Internet: GKN@SDS.SDSC.EDU Bitnet: GKN@SDSC Span: SDSC::GKN (27.1) MFEnet: GKN@SDS USPS: Gerard K. Newman San Diego Supercomputer Center P.O. Box 85608 San Diego, CA 92138-5608 Phone: 619.534.5076
SNJACOB@LSUVM.BITNET (Mike Jacobson) (07/25/88)
Could you please post the code for putting the source address into an accounting record that you told Ron Tencatti about to INFO-VAX or send me a copy as well? Thanks in advance, Mike Jacobson Mike Jacobson Networks Manager System Network Computer Ccenter Louisiana State University Phone: (504)388-1331 ARPAnet: JACOBSON%SNMRJ.SPAN@STAR.STANFORD.EDU BITNET: SNJACOB@LSUVM