Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What if this happened to you?

2 views
Skip to first unread message

Wayne A. Hogue II

unread,
Feb 20, 1995, 4:19:42 PM2/20/95
to
To all sysadmins:

What if my lound in your logs you find that someone tried 3 or 4 times
to telnet to your machine with bad username/password combonations. Then
they logged in via anonymous ftp and transfers your /etc/passwd and
/etc/group file.

Would you concider this hacking? If so what would you do?

--
Wayne A. Hogue II t...@trans.csuohio.edu
Network Manager, Cleveland State University Law Library

J B Senturia

unread,
Feb 20, 1995, 5:35:33 PM2/20/95
to
Wayne A. Hogue II (t...@trans.csuohio.edu) wrote:

: What if my lound in your logs you find that someone tried 3 or 4 times


: to telnet to your machine with bad username/password combonations. Then
: they logged in via anonymous ftp and transfers your /etc/passwd and
: /etc/group file.

How do they get to /etc/passwd as an anonymous ftp login?????
: Would you concider this hacking? If so what would you do?
I consider this poor planning on your part to have an anonymous
ftp that allows /etc/passwd and /etc/group files access. Have
you implemented /etc/shadow???? If not, consider the machine
has been compromised, reload it from trusted backup and implement
a better security policy.

--
Jerome B. Senturia | Internet: sent...@bio4.csuohio.edu
21st Sentury Consulting | Installation - Training - Administration
1534 Compton Road | Voice: (216)321-3602 Fax: Please Ask
Cleveland Hts, OH 44118 | "I didn't do it and I won't do it again."

Paul Ferguson

unread,
Feb 20, 1995, 7:45:15 PM2/20/95
to
Wayne A. Hogue II (t...@trans.csuohio.edu) wrote:

> What if my lound in your logs you find that someone tried 3 or 4 times
> to telnet to your machine with bad username/password combonations. Then
> they logged in via anonymous ftp and transfers your /etc/passwd and
> /etc/group file.

> Would you concider this hacking? If so what would you do?


No, I'd consider it poor system administration.

- paul

--
_______________________________________________________________________________
Paul Ferguson
US Sprint tel: 703.689.6828
Managed Network Engineering internet: pa...@hawk.sprintmrn.com
Reston, Virginia USA http://www.sprintmrn.com

Wayne A. Hogue II

unread,
Feb 21, 1995, 10:48:37 AM2/21/95
to
J B Senturia (sent...@bio4.csuohio.edu) wrote:

Well I should have given more information.

The machine was not compromized! The files accessed did not contain any
passwords or user info. It is the sequence of acts that concern me.

First he telneted to the machine and tried 3 uesr/password combonations.
Being unsuccessful in this he then ftped to the machine and transfered
the passwd and group files, which were only dummy files.

Stephen Potter

unread,
Feb 21, 1995, 3:53:07 PM2/21/95
to
In article <1995Feb20....@news.csuohio.edu> t...@trans.csuohio.edu (Wayne A. Hogue II) writes:
What if my lound in your logs you find that someone tried 3 or 4 times
to telnet to your machine with bad username/password combonations. Then
they logged in via anonymous ftp and transfers your /etc/passwd and
/etc/group file.

First I'd want to know what accounts/passwords they tried and then I'd want
to make sure it was the same person each time.

Would you concider this hacking?

Yes, I'd consider this hacking.


If so what would you do?

Fire the System Administrator for gross negligence of duty. What kind of
an idiot SA sets up an anonymous FTP site that has access to the real
/etc/password file?

After that, I'd reinstall from a trusted backup, make sure no one could get
the /etc/password file anymore, make everyone choose new passwords
(probably give them new account names just to be safe), and start looking
for a new SA to replace the one I just fired.

Steve
--
Stephen P Potter s...@vx.com Varimetrix Corporation
2350 Commerce Park Drive, Suite 4 Palm Bay, FL 32905
(407) 676-3222 CAD/CAM/CAE/Software

T. Stephen Eggleston

unread,
Feb 21, 1995, 4:56:35 PM2/21/95
to
On Mon, 20 Feb 1995, Wayne A. Hogue II wrote:

> To all sysadmins:
>
> What if my lound in your logs you find that someone tried 3 or 4 times
> to telnet to your machine with bad username/password combonations. Then
> they logged in via anonymous ftp and transfers your /etc/passwd and
> /etc/group file.
>
> Would you concider this hacking? If so what would you do?

Even if anon.ftp could get to these files (Which Any Hacker/Cracker Worth
His/Her salt could probably do,) since passwords are encrypted, and user
names easily guessed on most systems, I would not consider it a
MAJOR Threat.

I WOULD interpret it as a possible future threat, and assign extra system
watches & logs for a while, maybe there will be an attack using the newly
gained user names.

I WOULD Consider it CRacking, and take steps to follow up/prosecute.

I WOULD Advise users that it's time to change their password (just in-case)

I WOULD Pull a Full System Audit

T. Stephen Eggleston - CI$:72040,713 - Net:nua...@access.digex.net
Nuance Creative Group - Nuance Design - Nuance Data Systems
Nuance Productions - VideoLinx Communications - DigiColour, Inc,
Royal Publishing Group - http://www.access.digex.net/~nuance/

Michael S. Scheidell

unread,
Feb 21, 1995, 8:30:04 AM2/21/95
to
J B Senturia (sent...@bio4.csuohio.edu) wrote:
: Wayne A. Hogue II (t...@trans.csuohio.edu) wrote:

: : What if my lound in your logs you find that someone tried 3 or 4 times
: : to telnet to your machine with bad username/password combonations. Then
: : they logged in via anonymous ftp and transfers your /etc/passwd and
: : /etc/group file.

also, get/load/use tcp wrappers, get faq's on security from rtfm.mit.edu

I am emailing you faq on anon ftp

--
Michael S. Scheidell Florida Datamation, Inc.
<URL:mailto:sche...@fdma.com> (407) 241-2966
Distributors of QNX Real Time OS <URL:http://www.fdma.com/>
NOTICE: Opinions expressed here are not the opinions of employees!

Adam Twiss

unread,
Feb 21, 1995, 2:35:16 PM2/21/95
to
In article <1995Feb20.2...@news.csuohio.edu>,

J B Senturia <sent...@bio4.csuohio.edu> wrote:
>Wayne A. Hogue II (t...@trans.csuohio.edu) wrote:
>
>: What if my lound in your logs you find that someone tried 3 or 4 times
>: to telnet to your machine with bad username/password combonations. Then
>: they logged in via anonymous ftp and transfers your /etc/passwd and
>: /etc/group file.
>How do they get to /etc/passwd as an anonymous ftp login?????

The /etc/passwd and /etc/group you can get via anon ftp do not (or at
least should not) contain any (encrypted) passwords, or any ids other
then system accounts. There is no security threat in taking these.

>: Would you concider this hacking? If so what would you do?

I have had this happen to my machine. The person the other end is
probably just a naive and curious person. There is nothing they can
gain from looking at those files (provided they dont have write rights
to them).

>I consider this poor planning on your part to have an anonymous
>ftp that allows /etc/passwd and /etc/group files access. Have
>you implemented /etc/shadow????

As I said above - the files he will have downloaded (probably in
/home/ftp/etc are not the same as /etc/passwd and /etc/group. There
is very little information a potential hacker can gain from those
files, and it attracts obvious attention to themselves.

Adam


Michael S. Scheidell

unread,
Feb 21, 1995, 7:36:55 PM2/21/95
to
Wayne A. Hogue II (t...@trans.csuohio.edu) wrote:
: J B Senturia (sent...@bio4.csuohio.edu) wrote:
: : Wayne A. Hogue II (t...@trans.csuohio.edu) wrote:

: Well I should have given more information.

: The machine was not compromized! The files accessed did not contain any
: passwords or user info. It is the sequence of acts that concern me.

: First he telneted to the machine and tried 3 uesr/password combonations.
: Being unsuccessful in this he then ftped to the machine and transfered
: the passwd and group files, which were only dummy files.

install tcp wrapper, at least you will know if his ip and hostname don't
match.

contact sysadm at his site SOON! before logs are purged.

Ask him to have a talk with user, or blacklist site (filter packets) if
sysadmin doesn't want to help.

Wraith

unread,
Feb 22, 1995, 11:30:17 PM2/22/95
to
t...@trans.csuohio.edu (Wayne A. Hogue II) writes:
>What if my lound in your logs you find that someone tried 3 or 4 times
>to telnet to your machine with bad username/password combonations. Then
>they logged in via anonymous ftp and transfers your /etc/passwd and
>/etc/group file.

>Would you concider this hacking? If so what would you do?

No, I wouldn;t call it hacking, I would call it knowing a windows newbie
when I saw one! I would get a clue!


Greg Limes

unread,
Feb 25, 1995, 8:11:28 PM2/25/95
to
In article <Pine.SUN.3.91.950221...@access4.digex.net> "T. Stephen Eggleston" <nua...@access.digex.net> writes:

| > What if my lound in your logs you find that someone tried 3 or 4 times
| > to telnet to your machine with bad username/password combonations. Then
| > they logged in via anonymous ftp and transfers your /etc/passwd and
| > /etc/group file.

| I WOULD interpret it as a possible future threat, and assign extra system

| watches & logs for a while, maybe there will be an attack using the newly
| gained user names.
|
| I WOULD Consider it CRacking, and take steps to follow up/prosecute.
|
| I WOULD Advise users that it's time to change their password (just in-case)
|
| I WOULD Pull a Full System Audit

I WOULD make sure that the "passwd" and "group" files accessable from
within the anonymous FTP area had nothing of interest in
them. Anonymous FTP users have little need to know the list of
usernames on your machine (but having a couple in there can be useful
for outside folks to indentify authors of files); they have *NO* need
to know the contents of the encrypted password fields.

You didn't set ~ftp to "/" now did you?
--
-- Greg Limes li...@3do.com, li...@netcom.com
"Your reality check is in the E-mail"
Not speaking for my employer, of course
PGP key available on request

Alan Cox

unread,
Mar 1, 1995, 8:34:11 AM3/1/95
to
In article <1995Feb20....@news.csuohio.edu> t...@trans.csuohio.edu (Wayne A. Hogue II) writes:
>What if my lound in your logs you find that someone tried 3 or 4 times
>to telnet to your machine with bad username/password combonations. Then
>they logged in via anonymous ftp and transfers your /etc/passwd and
>/etc/group file.
>
>Would you concider this hacking? If so what would you do?

Cringe with embarrasment if my real /etc/passwd and group files were
available via anonymous ftp. Its probably worth bugging the admin for the
domain (see whois and look up the administrative contact) to file a moan. At
the very least they should keep an eye out.

Alan
--
..-----------,,----------------------------,,----------------------------,,
// Alan Cox // iia...@www.linux.org.uk // GW4PTS@GB7SWN.#45.GBR.EU //
``----------'`--[Anti Kibozing Signature]-'`----------------------------''
One two three: Kibo, Lawyer, Refugee :: Green card, Compaq come read me...

Cornelius Keck

unread,
Mar 1, 1995, 5:44:36 PM3/1/95
to
t...@trans.csuohio.edu (Wayne A. Hogue II) writes:

>To all sysadmins:

>What if my lound in your logs you find that someone tried 3 or 4 times
>to telnet to your machine with bad username/password combonations. Then
>they logged in via anonymous ftp and transfers your /etc/passwd and
>/etc/group file.

>Would you concider this hacking? If so what would you do?

(1) i'd consider that hacking.
(2) if encrypted passwords are stored in /etc/passwd, or in another
file, that was downloaded during the ftp-session in question, then
all passwords are no longer secure. there is a program called crack,
which (given enough time) is able to compute the original, non-
encrypted password.
(3) disable anon-ftp. if there is information you want to distribute,
make it accessible using gopher or www. if there are files you
want to distribute, set up a mailserver, or upload them to public
ftp-server. besides that, anon-ftp puts load on your line ;)
(4) get a copy of tcpwrapper. this package logs and restricts access
to your host to a well-defined list of hosts.

just my 0,02 dm.

cu, ck.

--
Cornelius "Captain Kernel" Keck vic...@toppoint.de

****** Never trust a user task! ******

J. R. Valverde (4423)

unread,
Mar 7, 1995, 5:18:48 AM3/7/95
to

In article <1995Mar1.2...@vicki.toppoint.de>, vic...@vicki.toppoint.de (Cornelius Keck) writes:
>Newsgroups: alt.security
>From: vic...@vicki.toppoint.de (Cornelius Keck)
>Subject: Re: What if this happened to you?

>
>t...@trans.csuohio.edu (Wayne A. Hogue II) writes:
>
>>To all sysadmins:
>
>>What if my lound in your logs you find that someone tried 3 or 4 times
>>to telnet to your machine with bad username/password combonations. Then
>>they logged in via anonymous ftp and transfers your /etc/passwd and
>>/etc/group file.
>
>>Would you concider this hacking? If so what would you do?
>
>(1) i'd consider that hacking.
>(2) if encrypted passwords are stored in /etc/passwd, or in another
> file, that was downloaded during the ftp-session in question, then
> all passwords are no longer secure. there is a program called crack,
> ... ... ...

May I suggest...

1) consider why someone could get the /etc/passwd file
by anon-ftp

2) if the sysadm is a student, underpaid, overloaded
with work, etc... like in most sites, threat to fire *the person
who contracted him/her or imposed the work conditions*. Note
that in that case the sysadm can't be blamed too much.

3) try to follow up the link and find who was the
caller or from where did s/he call. Contact the remote site.
You'd be surprised how many "crackers" are easy to locate this
way. And moreover, if he "cracked" a remote account, the less
you can do is advise the remote site if they have been intruded.

4) verify that users pick good passwords or there is
a good password policy: educate users, educate sysadms, educate
*above all* the "guy/s with the money", you know those illiterate
users that work 9-5 and decide what is spent and in what it is.

5) if nobody cares, tell the remote sysadm and don't care.
From my point of view, if your employer doesn't give a damn for
his/her security, you still have a liability to other sites, but
other than that, your employer is supposed to mind its businesses.
It's his/her/them choice. And maybe it was their kid and they
wanted him/her to play.

The single most important point is #1: if you have a
well configured anon-ftp, nobody should be able to get the
passwd file. If someone could, then your sysadm is not doing
his/her work. That could be actually because the employer
doesn't want them to do their work (e.g. a University that
uses a two or three "pre-grad" students part-time to handle almost
the whole campus -and I knew of some-, does not want a good
work done and is claiming for problems).

In any case you should keep netiquette, but if your
employer does not want the work done, it's *their* business.

And once more: with a well configured anon-ftp nobody
should get your /etc/passwd file. So in principle, there is no
such hurry in setting up tcpwrappers, firewalls, and all that
parafernalia. Teach your users and employers to be conscious,
and get a decent security policy established. That could prove
more than enough.

jr

--------
hey man, these opinions are mine and only mine. I saw them first!

Cyrille Lefevre

unread,
Mar 7, 1995, 2:53:56 PM3/7/95
to
I don't know why ? I was anable to reply to this post !!!
so I have made a new post :+(

In article <D52FB...@ebi.ac.uk> j...@ebi.ac.uk (J. R. Valverde (4423)) writes:

: In article <1995Mar1.2...@vicki.toppoint.de>,
: vic...@vicki.toppoint.de (Cornelius Keck) writes:
: >


: >t...@trans.csuohio.edu (Wayne A. Hogue II) writes:
: >
: >>To all sysadmins:
: >
: >>What if my lound in your logs you find that someone tried 3 or 4 times
: >>to telnet to your machine with bad username/password combonations. Then
: >>they logged in via anonymous ftp and transfers your /etc/passwd and
: >>/etc/group file.
: >
: >>Would you concider this hacking? If so what would you do?
: >
: >(1) i'd consider that hacking.
: >(2) if encrypted passwords are stored in /etc/passwd, or in another
: > file, that was downloaded during the ftp-session in question, then
: > all passwords are no longer secure. there is a program called crack,
: > ... ... ...

:
: 3) try to follow up the link and find who was the


: caller or from where did s/he call. Contact the remote site.
: You'd be surprised how many "crackers" are easy to locate this
: way. And moreover, if he "cracked" a remote account, the less
: you can do is advise the remote site if they have been intruded.

to help you to do this way is to configure tcp-wrapper
which may be configured to attempt who is doing what
on the other side using finger, netstat or everything
else you want.

--
The above opinions are all my own work, and do not represent those of EDF
_____________________________________ _____________________________________
/ \/ \
| Electricite De France | Cyrille...@ici.der.edf.fr |
| Direction des Etudes & Recherches | |
| 1, Avenue du General de Gaulle | Phone: +33 (1) 47 65 30 58 |
| 92141 Clamart Cedex - France | Fax: +33 (1) 47 65 30 01 |
\_____________________________________/\_____________________________________/

J. R. Valverde (4423)

unread,
Mar 9, 1995, 5:19:47 AM3/9/95
to

In article <CYRIL.95M...@cli53wy.der.edf.fr>, cy...@cli53wy.der.edf.fr (Cyrille Lefevre) writes:
>From: cy...@cli53wy.der.edf.fr (Cyrille Lefevre)

>
> I don't know why ? I was anable to reply to this post !!!
> so I have made a new post :+(
>
>In article <D52FB...@ebi.ac.uk> j...@ebi.ac.uk (J. R. Valverde (4423)) writes:
>
Sorry, our BIND a failure in our router disconnected
temporarily our mail server, and most probably your reply
tried to come during that period (it was shortly after my
post).

Please accept my _public_ apologies (since the "offense"
was -to some extent- public).

jr

0 new messages