[78] in Kerberos
Security breakin at Stanford.
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:23:27 1987
From miller%erlang.DEC@decwrl.DEC.COM Tue Sep 9 00:09:28 1986
Date: 08-Sep-1986 1707
From: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller)
To: kerberos@athena.mit.edu (Distribution list @[MILLER]KERB)
Subject: Security breakin at Stanford.
From: ERLANG::RONSICKI "DTN 226-7551, LKG1-2/A19" 8-SEP-1986 15:07
To: FALCONE,DICKENS,WEITHMAN,MILLER,GLASER
Subj: Massive security problem at Stanford
To: everyone
From: reid (Brian Reid)
Date: 4 Sep 1986 2209-PDT (Thursday)
Cc:
Subject: computer security
This week there was a massive computer breakin at Stanford.
Virtually every Unix computer on the campus has been penetrated.
The intruders are clearly experts: they made changes to various system
programs, recompiled them, installed the recompiled versions, and reset
the "last-write" date of the changed programs.
Even as I send this message, one of the burglars is logged in to a
certain Vax over a dialup, editing the source for "login". The police
have been unable (legally or technically, I am not certain) to trace
the phone calls, and the system managers involved have chosen to
monitor the people's activities rather than terminate the accounts that
they are using.
The breakin pattern is to break into one machine, gain root permission
there, and then fan out from that machine using ".rhosts" and
"/etc/hosts.equiv" to take over accounts on other machines. The
burglars seem to have tremendous patience: Stanford folks stopped
counting at 50 machines penetrated.
It is just a matter of time until they expand from attacking Stanford
hosts to attacking hosts nearby on the network, i.e. DEC.
There are so many ways to break into Unix systems that it's somewhat of
a pointless exercise to try to keep all the holes plugged,
but if the system managers of DEC Palo Alto machines will contact me I
will explain how the breakins happened. I just checked saturn, decwrl,
magic, clark, and eros, and all of them have this security leak.
This would be a good time to check every machine to make sure that none
of the .rhosts files on them reference host names outside DEC.
Brian
