Part Two - more of the affidavit filed 2/14
On February 2, 1995, I was advised by Gross a computer at The Well
(an internet provider), San Francisco, California, was compromised.
GROSS reported that the machine compromised at the Well was well.well.com
(aka well.sf.ca.us). The account used to gain access is called "dono."
The logged session contained many ftp transfers (ftp being a program
for moving files form [sic] one machine to another in either direction)
to the account "dono." The intruder had previously eliminated any other
traces of activity that would have similar logs.
In the home directory of the account "dono," there are several files
of an unusual nature. "Wietse" is a file of personal E-mail from
DAN FARMER to WIETSE VENEMA (two well known authorities in computer
security). The file "0108.gz" is a compressed file that contains copies
of credit card numbers from the Internet provider Netcom. The files
"newoki.tar.Z" and "okitsu.tar.Z" match files found at Loyola
University by Tom Reynolds that were confirmed to have been copied
from Tsutomu Shimomura's machine ariel.sdsc.edu. The remaining files
contain tools for breaking into computers (obtaining root access, e.g.
full access to the machine and all user data), tools for hiding the
intruder's tracks, electronic mail from several sources, and source
code which has not been identified yet.
Gross advised that the majority of activity in the "dono" account
originated from the machine teal.csn.org which belongs to the
Colorado Supernet (CSN) (an Internet provider). The session
documented on January 31, 1995, shows that the person using the
"dono" account had knowledge of the files taken from Shimomura's
machine and in one case the person in question renames one of the
files to a more memorable name.
Gross provided a copy of one full session from teal.csn.org wherein
the person logs in and uses the "newgrp" command which has been
replaced with a hacker version of newgrp that allows root access
(Superuser). The "zap2" program is then run to delete the
corresponding accounting records in the log files. The intruder
then goes to the "nascom" directory, looks at the files, renames
one of the files (indicating prior knowledge of their existence),
and then users [sic] the "last" command to make sure the accounting
log files are clean.
Gross also provided a detailed listing of the files in the nascom
directory. The files are copies of the originals taken form [sic]
Tsutomu Shimomura's machine ariel.sdsc.edu on December 25-26, 1994.
The files also match the copies found at Loyola University.