From: CSBVAX::MRGATE!AWALKER@RED.RUTGERS.EDU@SMTP 21-SEP-1987 05:49 To: EVERHART Subj: More bad news on EMBL break-in From: "McMahon,Brian D" To: SECURITY@RED.RUTGERS.EDU Subject: More bad news on EMBL break-in ReSent-Date: 20 Sep 87 22:09:56 EDT ReSent-From: *Hobbit* ReSent-To: Security: ; ReSent-Message-ID: <12336258150.21.AWALKER@RED.RUTGERS.EDU> Yesterday, I posted a message from the info-vax list to this board; at least, I *think* I posted it. I never actually saw it leave. Just in case, I'll repeat that before going on to the latest combat reports, and network loads be damned - this is serious. In a message dated 31-Jul-1987, Roy Omond of the European Microbiology Lab in Heidelberg reported the following hair-raising story: >Well, the well known patch to SECURESHR.EXE took a *long* time in coming >to Europe. In fact, it took me several days to convince the local DEC >people that there was a security loophole in VMS 4.5 ... *sigh*. >Anyway, in the meantime, we got screwed around by German hackers >(probably from the notorious Chaos Computer Club in Hamburg). Before I >had the chance to install the patch, "they" managed to get in and did >pretty well at covering their tracks. They patched two images, SHOW.EXE >and LOGINOUT.EXE, so that a) they could login to *any* account with a certain >password, which I'll not divulge, b) SYS$GW_IJOBCNT was decremented and >c) that process would not show up in SHOW USERS. They have cost us a lot of >real money by using our X.25 connection to login to several places all round >the globe. I have done my best to notify per PSImail those VAX sites that >were accessed from our hacked system. I pray (and pray and pray ...) that >no other damage has been done, and that I'm not sitting on a time bomb. >Anyway, the following information might help others to check if they have >been tampered with: > >Use CHECKSUM to perform a checksum of LOGINOUT.EXE and SHOW.EXE as follows: > > $ Check Sys$System:Loginout.Exe > $ Show Symbol Checksum$Checksum > > if you get the value 3490940838 then you're in trouble. > > $ Check Sys$System:Show.Exe > > if you get 1598142435, then again you're in trouble. > >Now something I'm a bit unsure about whether I should publicise : > >Two persons with known connections with the Chaos Computer Club in Hamburg >who I know have distributed the patches mentioned above (and in my opinion >are to be considered along with the lowest dregs of society) I will name >here : > > Claus Traenkner (at our own outstation of the EMBL in Hamburg) >and Stefan Weirauch (at the Univ. of Karlsruhe) > >in the hope that someone somewhere will a) be saved some hassle from them >and b) might perform physical violence on them. > >Jeez, I'm scared ... > >Roy Omond Pretty bad, already. But today, I found this cheery piece, dated 04-Aug-1987: >Further to my "important message" of last week, I have since discovered >that the patches done to LOGINOUT.EXE were even more lethal than I had >imagined. Not only would it allow entry to any username with the magic >password, but it would also store (in 1's complement form) the valid >password of all users logging in since the patch was installed in the >12 bytes "reserved for customer use" in the UAF. How many system managers >ever even look at these bytes, never mind spot the danger there ? > >Well, they also distributed a small vanilla program to decypher these >bytes and, lo and behold, a list of username/password pairs with accounts >with (potentially) all privileges neatly marked with an asterisk. > >So everyone who even suspects that something might be amiss, look very >closely at your UAF. Look in particular at the 12 bytes from offset >1f6 (hex) in each record. If you reverse the 1's complement on these >bytes and get something that looks like a password then ... :-( > >(Users with passwords longer than 12 characters or those with 2 passwords >(like me) are relatively ok). > >Yet another hacker name to surface is user DKL at Bitnet/EARN node >DHDMPI5 (the Max-Planck Institute for Atomic Physics, our neighbouring >institute in Heidelberg). I don't know who the person is, but I hope >that he/she is condemned to working with IBM MVS for evermore. I will post to info-vax the suggestion that further developments be send to this list, as well as to info-vax, by their originators, so you won't have to deal with me any more. I have a hunch this may not be over yet... Brian McMahon, Grinnell College