[11384] in Hotline Meeting
Another hacked workstation?
daemon@ATHENA.MIT.EDU (Derrick Kong)
Thu Oct 22 16:31:48 1992
To: hotline@Athena.MIT.EDU
Date: Thu, 22 Oct 92 16:31:27 EDT
From: Derrick Kong <starflt@Athena.MIT.EDU>
Hi!
We just received an OLC question from a user about a hack on his
workstation. Could someone investigate and let us know what the deal
is?
Log Initiated for user Ashok Kris Popat (acpopat@BARKER-6-4.MIT.EDU [0]).
[Thu 22-Oct-92 3:59pm]
Topic: other
Question:
Hi,
How does one go about reporting a destructive hack? The following
incident happened to me a few minutes ago.
I logged in to barker-6-4.mit.edu. Shortly after I logged in,
an offensive (pornographic) image appeared on the screen. A few
moments later, a "button icon" appeared asking me if it was ok to
kill the window manager, mwm. All the while, I was working on something
unrelated to any of this. Then suddenly I got logged out (I saw "tickets
destroyed" in the console window, then it logged me out). I logged in
again as root, tried to figure out who was behind it. No damage was
done, but the point is, damage might have been done, and moreover the
image that flashed on the screen was extremely offensive.
I noticed that another "root" was logged in, and I also noticed a
running process "rlogin -l <blank space> pal9.mit.edu".
I fingered at pal9.mit.edu, and turned up aychen. I tried to establish
a talk connection, but aychen did not respond.
I then looked at the last people to log in to barker-6-4 via the "last"
command, and here's what I turned up:
acpopat ttyqf :0.0 Thu Oct 22 15:23 still logged in
root ttyqf :0.0 Thu Oct 22 15:02 - 15:23 (00:20)
root ttyqf :0.0 Thu Oct 22 15:01 - 15:02 (00:01)
root ttyp5 M4-035-12.MIT.ED Thu Oct 22 14:53 - 15:00 (00:06)
emboyd ttyp5 M4-035-12.MIT.ED Thu Oct 22 14:52 - 14:52 (00:00)
acpopat ttyp0 :0.0 Thu Oct 22 14:49 - 15:00 (00:10)
root ttyp1 PAL9.MIT.EDU Thu Oct 22 14:40 - 15:06 (00:25)
troutman ttyp3 BARKER-6-4.MIT.E Thu Oct 22 14:37 - 14:38 (00:01)
(etc).
From this I deduced that either emboyd or aychen (on at pal9 at the time)
or both had something to do with this extremely moronic "hack." I also
noticed (by finger) that both these people live in the same living group.
Basically, I want to know if there is any way to find out exactly who did
this, and if so, I'd like to make sure that these people get educated that
what they did was seriously unethical and could have been extremely
distructive.
Obviously, I don't want to implicate aychen or emboyd before knowing more,
but I would very much like to see whoever was rsponsible get a talking to
from some authoritative figure.
Kris Popat
(by the way, when the "ok to kill mwm" thing appeared, I answered no (or
cancel). It appeared twice and I answered no both times. Then it logged
me out.
Is there a special office to investigate events like this?
Kris
Machine info:
Processor: DECstation 5000/1xx
Display : Color or Grayscale DS5000
Memory : 0x19bb000 user; 0x2000000 (32 M) total
Derrick Kong
starflt@athena.mit.edu
Athena User Accounts
