[15433] in Hotline Meeting
HACKED WORKSTATION in W20
daemon@ATHENA.MIT.EDU (solo26@Athena.MIT.EDU)
Tue Apr 27 19:26:09 1993
From: solo26@Athena.MIT.EDU
Date: Tue, 27 Apr 93 19:26:02 -0400
To: hotline@Athena.MIT.EDU
I did a "mkserv clean" and had the user reboot; things seem to be okay now.
Information from OLC log follows.
-Keith M. Swartz
Information Systems CSS Consultant
----------------------------------------
Log Initiated for user Karl F. Leeser (hodgey@W20-575-59.MIT.EDU [0]).
[Tue 27-Apr-93 6:17pm]
Topic: accounts
Question:
there are two people other than me logged into this machine (standard
workstation). how does their presence affect my machine speed (i'm
compiling) or otherwise?
Machine info:
Processor: DECstation Maxine
Display : Color DS Maxine
Memory : 0x1295000 user; 0x1800000 (24 M) total
___________________________________________________________
--- Question grabbed by consultant solo26@NAVIGATOR.MIT.EDU [2].
[Tue 27-Apr-93 6:25pm]
*** Reply from consultant solo26@NAVIGATOR.MIT.EDU [2].
[Tue 27-Apr-93 6:25pm]
Hi Karl. It depends on what they're doing. The more
computationally-intensive things they're doing, the worse it can get.
I assume these people are there by your own permission, right? Otherwise,
you can just report them to me, and punt them yourself.
-Keith M. Swartz
Information Systems CSS Consultant
--- User hodgey read reply.
[Tue 27-Apr-93 6:26pm]
*** Reply from user hodgey@W20-575-59.MIT.EDU [0].
[Tue 27-Apr-93 6:27pm]
that's just it. they aren't here by 'my' permission.
*** Reply from user hodgey@W20-575-59.MIT.EDU [0].
[Tue 27-Apr-93 6:27pm]
how do i punt them.
?
*** Reply from consultant solo26@NAVIGATOR.MIT.EDU [2].
[Tue 27-Apr-93 6:28pm]
I'll take care of it.
The "root login" message is me...don't worry about it.
--- User hodgey read reply.
[Tue 27-Apr-93 6:28pm]
--- Comment by user solo26@NAVIGATOR.MIT.EDU [0].
[Tue 27-Apr-93 6:31pm]
Whew. It's 6:27pm --> f @w20-575-59
[w20-575-59.MIT.EDU]
Login Name TTY Idle When Office
hodgey Karl F. Leeser qf 5:21 Tue 13:06 Chucky Bo-b NE43-920
hodgey Karl F. Leeser p0 Tue 13:06 Chucky Bo-b NE43-920
raymie Raymie Stata p1 8 Mon 16:45 NE43-534
raymie Raymie Stata p2 44 Mon 16:49 NE43-534
vgbose Vanu G Bose p3 53 Tue 17:21
vgbose Vanu G Bose p4 1 Tue 17:22
Punting raymie and vgbose, checking "last" logins, and
/etc/athena/rc.conf.
--- Private Comment by user solo26@NAVIGATOR.MIT.EDU [0].
[Tue 27-Apr-93 6:34pm]
w20-575-59# cd /etc/athena
w20-575-59# ls -l rc.conf
-rw-r--r-- 1 root 2489 Apr 21 14:49 rc.conf
w20-575-59# diff rc.conf /mit/solo26/real.rcconf
23c23
< PUBLIC=false; export PUBLIC # Public workstation?
---
> PUBLIC=true; export PUBLIC # Public workstation?
w20-575-59# last
...
sarmas ttyqf :0.0 Wed Apr 21 15:20 - 15:38 (00:17)
jchase ttyqf :0.0 Wed Apr 21 14:50 - 15:20 (00:30)
reboot ~ Wed Apr 21 14:47
trigeek ttyqf :0.0 Wed Apr 21 14:11 - crash (00:36)
trigeek ttyp1 :0.0 Wed Apr 21 13:47 - 14:10 (00:23)
ktmeow ttyqf :0.0 Wed Apr 21 13:15 - 13:45 (00:30)
Son of a bitch.
*** Reply from consultant solo26@NAVIGATOR.MIT.EDU [2].
[Tue 27-Apr-93 6:35pm]
Karl...the other users are gone, and nobody else will log in at the
moment. However, I have to repair the workstation and put it back to its
original state. This will take me a few minutes, and when I'm done, I
need to ask you to reboot the machine for me. I'll let you know, okay?
Thanks for bringing this to our attention.
--- User hodgey read reply.
[Tue 27-Apr-93 6:43pm]
*** Reply from consultant solo26@NAVIGATOR.MIT.EDU [2].
[Tue 27-Apr-93 6:46pm]
Okay, Karl. I'm done fixing the machine. Would you be able to take a few
minutes break, and reboot the machine? I can help you on how to do it, if
you don't know how...
--- User hodgey read reply.
[Tue 27-Apr-93 6:46pm]
*** Reply from user hodgey@W20-575-59.MIT.EDU [0].
[Tue 27-Apr-93 6:52pm]
ok. done. how were they able to log in?
*** Reply from consultant solo26@NAVIGATOR.MIT.EDU [2].
[Tue 27-Apr-93 6:53pm]
They ran a program that modified the machine, and made it into a
non-public machine. In doing so, it became access_on by default.
No longer.
Thanks for helping out...much appreciated!
--- User hodgey read reply.
[Tue 27-Apr-93 6:54pm]
*** Reply from user hodgey@W20-575-59.MIT.EDU [0].
[Tue 27-Apr-93 6:54pm]
why would they need that?
*** Reply from consultant solo26@NAVIGATOR.MIT.EDU [2].
[Tue 27-Apr-93 6:55pm]
Normally, if you type access_on to let someone log onto your machine, it
resets itself when you log out. By hacking the workstation, they made it
so it did not reset, thus always allowing them to log in.
Mind you, this is extremely extremely illegal. We're talking big trouble.
--- User hodgey read reply.
[Tue 27-Apr-93 6:56pm]
*** Reply from user hodgey@W20-575-59.MIT.EDU [0].
[Tue 27-Apr-93 6:56pm]
thanks.
--- User hodgey is done with question.
[Tue 27-Apr-93 6:56pm]
--- Resolved by solo26@NAVIGATOR.MIT.EDU.
[Tue 27-Apr-93 6:58pm]
--- Conversation terminated at Tue 27-Apr-93 6:58pm
--- Title: HACKED WORKSTATION
oaccounts [6278]: hodgey: HACKED WORKSTATION
*** End of Transaction ***
