Section 10.6 I m Innocent, I Tell Ya

Previous page
Table of content
Next page
   

10.6 I'm Innocent, I Tell Ya!

The following case study concerns a SysAdmin who did not realize that he had two sets of crackers working independently and unknown to each other. Sometimes when a cracker says he only did some of the things you suspect him of, he is telling the truth. Since Jeff "caught his man," we got some breathing room!

In a large system, there might be more than one intruder operating independently.


Doug Merritt tells the story and these are his words.[2]

[2] Used with permission.

I was logged in as myself but running some covert set-UID programs, and saw Jeff Schriebmann logged in, so I ps'ed his terminal ID. My heart pounded as I saw what he was up to running ps on my terminal ID!

Jeff Schriebmann was the innovative system administrator for UC Berkeley's Electrical Engineering and Computer Science Department's computers. Jeff made many early improvements to Version 6 UNIX to increase performance and security so that it would be more appropriate for supporting a large number of students.


He immediately wrote me and asked me to come up to his office. (We all feared Jeff and with good reason. He later managed to put our associate Michael in jail for a night.)

I was dead, caught in the act except

It turns out that when I had logged in, the timing of the password prompt and shell startup made me suspicious when combined with the fact that someone had logged out of that terminal 30 seconds before I logged in. (I had been waiting for a free terminal in the crowded room.)

So I looked around and quickly discovered that a "newbie" freshman had been logged onto that terminal 1 second before I had logged in therefore it was a password stealer [login simulator]. So I fired up a set-UID root shell to investigate further (which is what Jeff spotted me doing), and had just found the newbie's file of hundreds of passwords that he had successfully stolen, just as Jeff wrote to me.

Thinking fast and deviously, I added root and the root password to the poor [chump]'s password stealer log file.

So when I went up to Jeff's office 60 seconds later, I was able to deny running set-UID programs and disclaim all knowledge except that I was pretty sure that account XYZ had been running a password stealer, and that Jeff ought to look into it. Jeff looked, and like me, immediately found the stolen password file now containing the root password. "See?" I said, "That explains it. He was running some root programs in the background after he logged off."

So I got away scot-free, and the newbie got in big trouble! No more than he deserved, of course. Password stealer what an amateur. ;-)

I talked to him briefly some weeks later. He'd been scared straight, of course, but it was amusing how puzzled he was by what had happened. "I swear I never knew the root password!" Heh heh.

       
    Top

    Previous page
    Table of content
    Next page
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260
    BUY ON AMAZON
    Java I/O
    Agile Project Management: Creating Innovative Products (2nd Edition)
    Cisco CallManager Fundamentals (2nd Edition)
    GO! with Microsoft Office 2003 Brief (2nd Edition)
    Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
    Web Systems Design and Online Consumer Behavior
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy