UC Berkeley Sniffing incident

[David Farber <farber@central.cis.upenn.edu>]

>Date: Fri, 7 Jan 94 14:43:20 -0500
>Posted-Date: Fri, 7 Jan 94 14:43:20 -0500
>To: uugp@isc.upenn.edu
>From: millar@pobox.upenn.edu (Dave Millar)
>Subject: UC Berkeley Sniffing incident
>Cc: curtis@pobox.upenn.edu
>
>UC Berkeley had an incident on New Years day where someone installed a
>"sniffer" on their machine without their knowledge.  Two connections from
>Penn were logged (one from the terminal server, and another from a campus
>host), and administrators on those hosts were notified.
>
>Basically, what these programs do is monitor any connections (telnet,
>rlogin) on the subnet that the Berkeley machine was attached to, and
>capture ids and passwords.  Anyone who used telnet, rlogin, ftp, or any
>other internet services at Berkeley on 1/1/94 should minimally change their
>password, and should probably look at the security on their host as well
>since often, hackers will use the accounts and passwords that they obtain
>to install the same programs on subsequent hosts.
>
>If you choose to  check your binaries, note that the Berkeley hackers
>modified checksums and "last modified" dates.  To be certain your binaries
>are unchanged, you need to either do a binary comparison or do the System V
>sum command.  The altered binaries at Berkeley were /usr/bin/ps and
>/usr/etc/in.telnetd.
>
>Dave
>
>>From: kazdan@math.upenn.edu
>>Posted-Date: Tue, 4 Jan 94 15:33:52 EST
>>Subject: passwords & Jan 1st UC Berkeley Network Security Incident (fwd)
>>To: millar@pobox.upenn.edu
>>Date: Tue, 4 Jan 94 15:33:52 EST
>>Cc: ira@cis.upenn.edu (Ira Winston)
>>Reply-To: Jerry L. Kazdan <kazdan@math.upenn.edu>
>>X-Mailer: ELM [version 2.3 PL11-upenn1.12]
>>
>>        For your information.  Last weekend crackers broke into the UC
>>Berkeley network (see below). Apparently they were monitoring for
>>passwords in rlogin and telnet sessions.
>>        Jerry Kazdan
>>                --------------------------------------
>>>
>>>Around 9 PM, January 1st, we discovered an IST machine had been
>>>compromised by a cracker.  The cracker had installed an network
>>>sniffing application, which recorded the first lines of all telnet,
>>>rlogin, and ftp connections, logging them for passwords.
>>
>>>
>>>The application had apparently been running since 7 that morning, and
>>>had been monitoring the 128.32.155 and 128.32.136 subnets.
>>>
>>>The cracker modified /usr/bin/ps and /usr/etc/in.telnetd.  The dates
>>>were changed on the programs, and checksums modified, so they looked
>>>almost indistinguishable from the original programs.  The ps(1)
>>>program was modified to not list the network sniffing application, and
>>>in.telnetd(8) was modified to allow a backdoor.  The way to
>>>distinguish the modified programs from the originals, is either to do
>>>a binary comparison, or use the System V sum command, /usr/5bin/sum.
>>
>>>
>>>We have since secured the machine, and notified the Computer Emergency
>>
>>>Response Team (CERT).
>>
>>>
>>>Your site was listed in the logs.
>>>
>>>Below is a list of usernames and machines from that log which are at
>>>your site.  Please do not consider this an exhaustive list, as more
>>>passwords could have been compromised.  We advise you at the minimum
>>>to change the passwords for those accounts and check the integrity of
>>>your system.
>>>
>>>...
>>>
>>>william robertson
>>>Data Comunnication & Networking Services
>>>University of California Berkeley
>>>rob@agate.berkeley.edu
>>>510/643-9837
>>>
>>
>>
>Dave Millar
>University Information Security Officer
>University of Pennsylvania
>millar@pobox.upenn.edu
>(215) 898-2172
>
>