From owner-freebsd-security  Mon Jul 28 20:30:29 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id UAA02338
          for security-outgoing; Mon, 28 Jul 1997 20:30:29 -0700 (PDT)
Received: from destiny.erols.com (root@destiny.erols.com [207.96.73.65])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA02311
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 20:30:15 -0700 (PDT)
Received: from destiny.erols.com (someone@destiny.erols.com [207.96.73.65]) by destiny.erols.com (8.8.6/8.6.12) with SMTP id XAA15006; Mon, 28 Jul 1997 23:29:44 -0400 (EDT)
Date: Mon, 28 Jul 1997 23:29:43 -0400 (EDT)
From: John Dowdal <jdowdal@destiny.erols.com>
To: Vincent Poy <vince@mail.MCESTATE.COM>
cc: security@FreeBSD.ORG
Subject: Re: security hole in FreeBSD 
In-Reply-To: <Pine.BSF.3.95.970728170156.3844H-100000@mail.MCESTATE.COM>
Message-ID: <Pine.BSF.3.95q.970728232310.14560I-100000@destiny.erols.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Forward this junk to abuse@erols.com, and try calling 703-321-8000, or
888-EROL-NET or 1-800-EROLS-PC [descreasing likeliness of helping].  If
you call, be extremely agressive about getting to a higher-level person.
Consider mentioning severe legal problems if they fail to fence in the
hacker.

Keep in mind that you only have a .signature with the erols account, so it
may be bogus.

John


On Mon, 28 Jul 1997, Vincent Poy wrote:

> On Mon, 28 Jul 1997, Jordan K. Hubbard wrote:
> 
> =)> 	Well, because I connect to the system using telnet ;)  Also, this
> =)
> =)That proves absolutely nothing.  You think I can't hack a telnetd to
> =)provide multiple "services?"  Wake up, Vinnie! :-)
> 
> 	Ofcourse you could but you're not in the same type of hacking
> business this guy is in.  This is a log of a irc chat session.
> 
> 
> >From johnnyu@accessus.net Mon Jul 28 17:01:43 1997
> Date: Mon, 28 Jul 1997 18:38:32 -0500 (CDT)
> From: NoHackMe! <johnnyu@accessus.net>
> To: security@netcom.com
> Cc: vince@mcestate.com, mario1@primenet.com
> Subject: Logs (Gaianet.net)
> 
> Here is a log I just got from talking with theca the hacker!
> 
> Session Start: Mon Jul 28 18:16:14 1997
> [18:16] <TheCa> yeah
> [18:16] <TheCa> hi
> [18:16] <TheCa> wasup
> <JbHuNt> that was nice of you
> <JbHuNt> last night
> [18:16] <TheCa> what? pasting the root pass all over efnet?
> <JbHuNt> yea
> [18:16] <TheCa> so was icmp pinging me
> <JbHuNt> you shouldn't have hacked the machine
> [18:17] <TheCa> i was nice till that started
> <JbHuNt> aside from that the minor ping that you got was 
>   nothing
> <JbHuNt> you have created a HUGE DOS situation for the entire 
>   company
> [18:17] <TheCa> i'll show you all the pings i got
> [18:17] <TheCa> 1 sec.
> <JbHuNt> I don't care?
> [18:17] <TheCa> ok
> <JbHuNt> You were pinged
> <JbHuNt> why?
> [18:18] <TheCa> why am i causing a dos?
> [18:18] <TheCa> bring your machines back up
> <JbHuNt> well let's see you changed the root passwd
> <JbHuNt> handed it out
> [18:18] <TheCa> Jul 28 02:29:45 soma icmplog: ping from 
>   venus.GAIANET.NET
> [18:18] <TheCa> Jul 28 02:30:19 soma last message repeated 10 
>   times
> [18:18] <TheCa> Jul 28 02:31:20 soma last message repeated 18 
>   times
> [18:18] <TheCa> Jul 28 02:32:04 soma last message repeated 64 
>   times
> [18:18] <TheCa> Jul 28 02:38:52 soma last message repeated 31 
>   times
> [18:18] <TheCa> Jul 28 02:39:53 soma last message repeated 54 
>   times
> [18:18] <TheCa> Jul 28 02:40:54 soma last message repeated 60 
>   times
> [18:18] <TheCa> Jul 28 02:41:37 soma last message repeated 42 
>   times
> [18:18] <TheCa> i changed the root passwd to 'root'
> <JbHuNt> someone changed the inetd.conf and rebooted
> [18:18] <TheCa> yeah
> [18:18] <TheCa> i didn't do that
> <JbHuNt> so now all the machines are pretty much denying all 
>   hosts
> <JbHuNt> we don't care to much
> [18:19] <TheCa> one of the windows lusers who saw my paste
> <JbHuNt> as far as we're concerned your the cause of the 
>   problem
> [18:19] <TheCa> umm
> [18:19] <TheCa> why don't you fix the inetd.conf
> <JbHuNt> let's put it like this
> [18:19] <TheCa> instead of bitching about it
> <JbHuNt> that system is admin'd remotely
> <JbHuNt> that system is admin'd remotely
> [18:20] <TheCa> so NO one has physical access to the machine?
> <JbHuNt> your actions caused the main unix boxes on the lan
> <JbHuNt> not at the present time the owners are out of the 
>   country
> [18:20] <TheCa> so go drive over there or something and boot 
>   it up
> [18:20] <TheCa> i told you the root pass...
> <JbHuNt> anything I did to you was in an attempt to thwart 
>   your efforts to take control
> <JbHuNt> all of my feable efforts failed
> <JbHuNt> your a super leet spoof aren't you who's caching 
>   your dns
> [18:22] <TheCa> i'm caching it
> [18:22] <TheCa> on an authorative ns box i rooted
> <JbHuNt> Hmm that neet
> [18:23] <TheCa> yep
> <JbHuNt> That would explain why netcom security can't find 
>   you on the portmaster
> ________________________________________
> | TheCa (theca@wil-de7-10.ix.netcom.com)
> | name : No bodies ever knew...
> | serv : irc.pacbell.net
> 
> [18:24] <TheCa> tell netcom to change the !root pass on some 
>   of their portmasters
> [18:24] <TheCa> just to be umm safe
> [18:25] <TheCa> netcom has no security...it's a joke
> <JbHuNt> that's good
> [18:25] <TheCa> netcom shell security is great
> [18:25] <TheCa> ppp security == null
> [18:26] <TheCa> they've got the biggest REAL isp (not 
>   including aol, etc)...you think they can keep track or even 
>   try to keep track of everyone?
> [18:26] <TheCa> they have well over half a million users
> <JbHuNt> you think they can find you?
> <JbHuNt> you think they can find you?
> Session Close: Mon Jul 28 18:32:07 1997
> 
> [18:28] <TheCa_> Jul 28 19:28:14 soma pppd[16376]: Modem hangup
> [18:28] <TheCa_> Jul 28 19:28:14 soma pppd[16376]: Connection terminated.
> [18:28] <TheCa_> Jul 28 19:28:14 soma pppd[16376]: Exit.
> [18:29] <TheCa_> *clap clap*
> [18:29] <TheCa_> nice
> 
> [18:30] <TheCa_> i'll see if that netcom acct is still up
> <JbHuNt> he probably doesn't have the account
> (!) The time is now 6:30pm.
> [18:30] <TheCa_> something like "connect S0" or the port
> <JbHuNt> they just dumped the entire wilmington port
> [18:30] <TheCa_> ah
> [18:30] <TheCa_> heh
> [18:30] <TheCa_> that's stupid
> [18:30] <TheCa_> now there's no way they'll find me
> ________________________________________
> | TheCa_ (theca@phd-as15s15.erols.com)
> 
> That's it John basically he admits it and implies he has control over at
> least one of your portmasters and possibly one of your dns servers. This
> is a serious security issue for us and should be for you. If you have ANY
> contacts at erols.com please forward this to them and cc us if you would.
> 
> John Urschel
> Gaianet Unix Administrator
> 
> 
> 
> Cheers,
> Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
> Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
> GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
> Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
> HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
> 
> 
>