[7061] in Hotline Meeting
m11-113-4
daemon@ATHENA.MIT.EDU (acevedo@Athena.MIT.EDU)
Mon Dec 9 13:26:46 1991
From: acevedo@Athena.MIT.EDU
Date: Mon, 9 Dec 91 13:26:27 -0500
To: hotline@Athena.MIT.EDU
This workstation was hacked. All normally root-owned processes are
owned by MITTPA. Here's the /etc/passwd file:
MITTPA:!:0:0:MITTPA@MITTPL.MIT.GOV.FOO.BAR:/:/bin/csh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/usr/adm:
MITTPA:!:4294967294:4294967294:MITTPA:/mit/MITTPA@@MITTPL.MIT.GOV.FOO.BAR:/bin/csh
lpd:!:104:9:MITTPA:/mit/MITTPA@@MITTPL.MIT.GOV.FOO.BAR:/bin/csh
root:!:0:101:Wizard A Root,,,,:/tmp/root:/bin/csh
acevedo:!:2258:101:Gabriel,Raul,11-115,31923,3544518:/mit/acevedo:/afs/sipb/project/tcsh/tcsh
and here's ps aux:
(3) ~ [1:24pm]: ps aux
USER PID %CPU %MEM SZ RSS TT STAT TIME CMD
MITTPA 0 0.0% 47% 9336 7512 - S 0:02 swapper
MITTPA 1 0.1% 1% 160 128 - S 0:07 /etc/init
MITTPA 514 0.0% 0% 12 8 - R 78:41 kproc
MITTPA 771 0.0% 0% 20 20 - S 0:07 kproc
MITTPA 1028 0.0% 0% 20 20 - S 0:07 kproc
MITTPA 1285 0.0% 0% 16 8 - S 0:00 kproc
MITTPA 1637 0.0% 0% 16 8 - S 0:00 kproc
MITTPA 1985 0.0% 0% 88 28 - S 0:01 /etc/syncd 60
MITTPA 2264 0.0% 0% 236 8 - S 0:00 /etc/srcmstr
MITTPA 2633 0.0% 0% 16 8 - S 0:00 kproc
MITTPA 3267 0.0% 0% 240 8 - S 0:00 /usr/lib/errdemon
MITTPA 3504 0.0% 0% 112 8 - S 0:00 /etc/writesrv
MITTPA 3794 5.0% 10% 2212 1632 hft/0 S 0:09 X -n :0 c 0
MITTPA 4000 0.2% 0% 16 16 - S 0:13 kproc
acevedo 4345 0.0% 1% 112 128 pts/2 S 0:00 /usr/athena/lib/gnuemac
acevedo 5346 1.4% 4% 632 588 pts/0 S 0:02 -tcsh
MITTPA 5587 0.0% 0% 16 16 - S 0:00 kproc
MITTPA 5857 0.0% 1% 168 92 - S 0:00 /etc/syslogd
acevedo 5905 0.0% 1% 148 220 pts/3 R 0:00 ps aux
MITTPA 6376 0.0% 0% 136 8 - S 0:00 /usr/etc/portmap
MITTPA 6635 0.0% 1% 184 148 - S 0:00 /etc/inetd
MITTPA 6812 0.2% 1% 232 148 - S 0:11 /etc/athena/zhm
MITTPA 7153 0.0% 0% 136 8 - S 0:00 /usr/etc/biod 6
MITTPA 7410 0.0% 0% 104 8 - S 0:00 /usr/etc/biod 6
MITTPA 7667 0.0% 0% 112 8 - S 0:00 /usr/etc/biod 6
MITTPA 7924 0.0% 0% 120 8 - S 0:00 /usr/etc/biod 6
MITTPA 8181 0.0% 0% 128 8 - S 0:00 /usr/etc/biod 6
MITTPA 8439 0.0% 0% 136 8 - S 0:00 /usr/etc/biod 6
MITTPA 8696 0.0% 0% 152 8 - S 0:00 /usr/etc/rpc.statd
MITTPA 8954 0.0% 0% 164 8 - S 0:00 /usr/etc/rpc.lockd
MITTPA 9215 0.0% 1% 252 196 - S 0:02 /etc/athena/named
acevedo 9467 0.0% 4% 652 620 - S 0:00 /afs/athena/contrib/pot
MITTPA 9483 0.0% 0% 212 8 consol S 0:00 /etc/athena/afsd -noset
MITTPA 9740 0.0% 0% 224 8 consol S 0:00 /etc/athena/afsd -noset
MITTPA 9997 0.0% 0% 240 12 consol S 0:00 /etc/athena/afsd -noset
MITTPA 10254 0.0% 0% 252 12 consol S 0:00 /etc/athena/afsd -noset
MITTPA 10511 0.0% 0% 264 12 consol S 0:00 /etc/athena/afsd -noset
MITTPA 10768 0.0% 0% 276 12 consol S 0:00 /etc/athena/afsd -noset
MITTPA 11175 0.1% 1% 224 108 - S 0:03 /etc/cron
daemon 11477 0.0% 2% 216 252 - S 0:00 /etc/athena/console
acevedo 11734 0.6% 1% 96 156 pts/1 S 0:01 sh /etc/athena/login/Xs
MITTPA 12187 0.0% 0% 236 8 - S 0:00 /etc/snmpd
MITTPA 12441 0.0% 0% 132 16 - S 0:00 /etc/athena/timed
MITTPA 12709 0.0% 0% 204 8 hft/2 S 0:01 /etc/getty /dev/hft
MITTPA 13521 0.6% 0% 120 80 hft/0 S 0:01 /etc/athena/dm /etc/ath
acevedo 13793 0.0% 3% 560 484 pts/1 S 0:00 xterm
MITTPA 13997 0.0% 0% 132 8 - S 0:00 /etc/qdaemon
acevedo 15109 0.0% 4% 632 656 pts/3 S 0:00 -mit/sipb/@sys/tcsh
acevedo 16374 4.9% 12% 2020 2004 pts/0 S 0:06 emacs
acevedo 16651 0.0% 4% 612 644 pts/3 S 0:00 twm
(4) ~ [1:25pm]: >
I rebooted the machine, I don't know if that will fix things.
Raul
